Description
### Summary

A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax.

Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
Published: 2026-05-06
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the FilterEngine.create_postgres_query() function of Rucio allows any authenticated user to inject arbitrary SQL into the PostgreSQL metadata database via the DID search endpoint. The flaw arises because attacker-controlled filter keys and values are inserted directly into raw SQL strings using Python format syntax and then executed as trusted SQL. The impact can include reading, modifying, or deleting sensitive metadata tables, accessing server‑side files, and even achieving code execution through PostgreSQL features such as COPY ... FROM PROGRAM if the service account has sufficient database privileges.

Affected Systems

Affected versions of the Rucio data‑management system include all releases from 1.30.0 up to and including 35.8.4, 38.5.4, 39.4.1, and 40.1.0 when the postgres_meta metadata plugin is enabled. The security fix is available in releases 35.8.5, 38.5.5, 39.4.2, and 40.1.1 and later.

Risk and Exploitability

The CVSS score of 9 indicates a high‐severity flaw, and while the EPSS score is not available, the known exploitability path involves an authenticated user who can exploit the endpoint. The risk is compounded if the Rucio service account has elevated privileges, as this could lead to data exfiltration or remote code execution. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 6, 2026 at 19:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to a Rucio version that includes the fix, such as 35.8.5, 38.5.5, 39.4.2, 40.1.1, or newer.
  • If an immediate upgrade is not possible, disable the postgres_meta metadata plugin or remove it from the Rucio configuration to block the vulnerable code path.
  • Restrict the database privileges granted to the Rucio service account and limit external access to the DID search endpoint to trusted administrators only.

Generated by OpenCVE AI on May 6, 2026 at 19:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6j7p-qjhg-9947 Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
History

Wed, 06 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 06 May 2026 18:00:00 +0000

Type Values Removed Values Added
Description ### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
Title Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-06T18:17:58.146Z

Reserved: 2026-03-03T21:54:06.707Z

Link: CVE-2026-29090

cve-icon Vulnrichment

Updated: 2026-05-06T18:17:53.703Z

cve-icon NVD

Status : Received

Published: 2026-05-06T18:16:02.953

Modified: 2026-05-06T18:16:02.953

Link: CVE-2026-29090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T19:45:10Z

Weaknesses