External risk intelligence

Attacker can steal customer data or gain admin control of Rucio

CVE advisorySeverity: CRITICAL (CVSS 9.4)

CVE-2026-29080

An internal attacker can exploit a flaw in the Rucio platform to gain full database access. This allows them to steal sensitive information such as account credentials and proprietary data, risking a total compromise of the system’s managed information.

2Halo Surface Signal

SQL Injection

Cern Rucio

1.27.0 to before 35.8.536.0.0 to before 38.5.539.0.0 to before 39.4.240.0.0 to before 40.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-29080

Rucio is a specialized data management platform typically deployed within restricted scientific or research network environments. The vulnerable API endpoint requires valid user authentication to access. Given its purpose for internal data management and the requirement for pre-existing credentials, direct public internet exposure of this service is uncommon.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Rucio allows any authenticated user to execute arbitrary commands against the backend database, potentially leading to full data compromise. The issue lies in how certain data filters are processed, especially on Oracle systems, which can be exploited through the DID search endpoint. This warrants immediate attention for organizations using Rucio on Oracle databases.

  • Database can be fully compromised.
  • Sensitive identifiers and credentials could be exposed.
  • Affects Rucio users on Oracle.

Attack Path

How an attacker could exploit the issue

An authenticated Rucio user can exploit this by sending specially crafted requests to the DID search endpoint. This allows them to execute arbitrary SQL on the backend Oracle database, potentially exfiltrating sensitive data or modifying records.

  • Any authenticated user can trigger.
  • Exploited via DID search API.
  • Oracle database required.

Live Threat

Current exploitation, exposure, and threat context

Attackers might target this SQL injection vulnerability due to its potential for full database compromise, allowing extraction of sensitive information like authentication tokens and password hashes. The vulnerability impacts Oracle deployments and is exploitable by any authenticated user, significantly lowering the barrier to entry. While the specific use case of Rucio might limit widespread public internet exploitation, any authenticated user within a compromised Rucio environment could leverage this for severe damage.

  • Requires authenticated access.
  • Exploitable on Oracle backends.
  • No public exploit code yet.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate patching of Rucio Oracle deployments for versions affected by this critical SQL injection vulnerability. If patching is delayed, implement strict network-level controls to block access to the DID search endpoint from untrusted sources and intensify monitoring for suspicious SQL queries.

  • Patch Rucio to versions 35.8.5, 38.5.5, 39.4.2, or 40.1.1.
  • Block external access to `/dids/search` endpoint.
  • Monitor for unusual SQL syntax in logs.

Frequently asked questions

What is Rucio and its primary function in data management?

Rucio is a data management system designed for scientific and research organizations. It assists in managing large datasets by tracking data identifiers and their locations across distributed storage systems.

What is the weakness class for CVE-2026-29080?

CVE-2026-29080 is an SQL injection vulnerability, identified by CWE-89. This flaw allows attackers to manipulate software into executing unintended SQL commands, potentially leading to unauthorized database access or modification.

How can CVE-2026-29080 be triggered in Rucio?

This vulnerability is triggered when Rucio's `create_sqla_query()` method on Oracle databases interpolates attacker-controlled keys and values directly into `sqlalchemy.text()`. This occurs through the DID search endpoint (`GET /dids/<scope>/dids/search`), bypassing standard parameterization.

What is the impact of CVE-2026-29080 on Rucio deployments?

Exploiting CVE-2026-29080 can lead to a full compromise of the backend Oracle database. This includes the potential exposure of sensitive data such as authentication tokens, password hashes, and all managed data identifiers. It affects Rucio versions 1.27.0 and later, prior to specific patched versions.

What are the recommended steps to mitigate CVE-2026-29080?

To address CVE-2026-29080, organizations should immediately update Rucio to versions 35.8.5, 38.5.5, 39.4.2, or 40.1.1. As a temporary measure, restricting network access to the DID search endpoint and closely monitoring database logs for suspicious SQL queries are advised.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified