CVE-2026-29090

Name of the Vulnerable Software and Affected Versions Rucio versions 1.30.0 through 35.8.4 Rucio versions 38.x through 38.5.4 Rucio versions 39.x through 39.4.1 Rucio versions 40.x through 40.1.0

Description An issue exists in the FilterEngine.create postgres query() function where authenticated users can execute arbitrary SQL against the PostgreSQL metadata database. This occurs when the postgres meta metadata plugin is configured, as attacker-controlled filter keys and values are interpolated directly into raw SQL strings using Python .format(), which are then processed as trusted syntax by psycopg3's sql.SQL(). The flaw is accessible via the 'GET /dids//dids/search' endpoint. Depending on database privileges, this can lead to the exposure of sensitive tables (such as identities, tokens, accounts, rse settings, and rules), modification or deletion of metadata, access to server-side files, or remote code execution through the COPY ... FROM PROGRAM feature. Password hashes may also be extracted and cracked due to the use of single-iteration SHA-256 without a Key Derivation Function (KDF), a method used to strengthen passwords before hashing.

Recommendations Update to version 35.8.5. Update to version 38.5.5. Update to version 39.4.2. Update to version 40.1.1. As a temporary mitigation, restrict access to the 'GET /dids//dids/search' endpoint or disable the postgres meta metadata plugin.