EXECUTIVE SUMMARY:
Two critical SQL injection vulnerabilities have been identified in the Rucio Project DID Search API, affecting both PostgreSQL and Oracle database backends. These flaws allow authenticated users to execute arbitrary SQL queries through crafted requests to the /dids//dids/search endpoint, potentially leading to complete database compromise, theft of authentication tokens, extraction of password hashes, unauthorized data access, and possible remote code execution in PostgreSQL environments. The vulnerabilities originate from improper handling of attacker-controlled input within query-building functions, where unsafe string formatting bypasses parameterized SQL protections. Fixed versions are available across supported Rucio release branches. CVE-2026-29090 with a CVSS score of 9.9 – A critical SQL injection vulnerability exists in FilterEngine.create_postgres_query when the postgres_meta plugin is enabled. Authenticated attackers can inject malicious SQL commands via the DID search API, enabling full database access, data theft, modification, and possible remote code execution through PostgreSQL features such as COPY ... FROM PROGRAM. CVE-2026-29080 with a CVSS score of 9.4 – A critical SQL injection flaw affects the Oracle implementation of FilterEngine.create_sqla_query using the json_meta configuration. Improper interpolation of attacker-controlled filter keys and values into SQL queries allows authenticated users to execute arbitrary database commands, exposing sensitive records including authentication tokens, password hashes, and metadata.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Two critical SQL injection vulnerabilities have been identified in the Rucio Project DID Search API, affecting both PostgreSQL and Oracle database backends. These flaws allow authenticated users to execute arbitrary SQL queries through crafted requests to the /dids//dids/search endpoint, potentially leading to complete database compromise, theft of authentication tokens, extraction of password hashes, unauthorized data access, and possible remote code execution in PostgreSQL environments. The vulnerabilities originate from improper handling of attacker-controlled input within query-building functions, where unsafe string formatting bypasses parameterized SQL protections. Fixed versions are available across supported Rucio release branches. CVE-2026-29090 with a CVSS score of 9.9 – A critical SQL injection vulnerability exists in FilterEngine.create_postgres_query when the postgres_meta plugin is enabled. Authenticated attackers can inject malicious SQL commands via the DID search API, enabling full database access, data theft, modification, and possible remote code execution through PostgreSQL features such as COPY ... FROM PROGRAM. CVE-2026-29080 with a CVSS score of 9.4 – A critical SQL injection flaw affects the Oracle implementation of FilterEngine.create_sqla_query using the json_meta configuration. Improper interpolation of attacker-controlled filter keys and values into SQL queries allows authenticated users to execute arbitrary database commands, exposing sensitive records including authentication tokens, password hashes, and metadata.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update rucio to version 35.8.5, 38.5.5, 39.4.2, or 40.1.1 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-6j7p-qjhg-9947
https://github.com/advisories/GHSA-vjr5-c9qv-hgm3