CVE-2026-29080

Name of the Vulnerable Software and Affected Versions Rucio versions 1.27.0 through 35.8.4 Rucio versions 38.x through 38.5.4 Rucio versions 39.x through 39.4.1 Rucio versions 40.x through 40.1.0

Description A SQL injection issue in the create sqla query() function allows authenticated users to execute arbitrary SQL commands against the backend database. This occurs specifically in Oracle deployments using the default json meta plugin. The flaw exists because attacker-controlled filter keys and values are interpolated directly into sqlalchemy.text() using Python string formatting, which bypasses parameterization. This can be exploited via the 'GET /dids//dids/search' endpoint. Successful exploitation may lead to full database compromise, including the extraction of password hashes, authentication tokens, and managed data identifiers, as well as the potential modification of database contents.

Recommendations Update to version 35.8.5. Update to version 38.5.5. Update to version 39.4.2. Update to version 40.1.1. As a temporary mitigation, restrict access to the 'GET /dids//dids/search' endpoint.