External risk intelligence

Rucio users can access sensitive data or disrupt services.

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-29090

An internal attacker with valid credentials can use Rucio to execute unauthorized database commands. This allows them to steal or delete sensitive company data and potentially take control of the database server, putting business operations at risk.

2Halo Surface Signal

SQL Injection

Cern Rucio

1.30.0 to before 35.8.536.0.0 to before 38.5.539.0.0 to before 39.4.240.0.0 to before 40.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2026-29090

The vulnerability requires valid authentication to a Rucio platform endpoint. Rucio is a data management system typically deployed within research or internal organizational networks, often protected by access controls. While the application is network-reachable, it is not designed for public internet exposure, and the requirement for credentials further limits the exposed surface.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A SQL injection vulnerability in Rucio allows any authenticated user to execute arbitrary SQL commands against the PostgreSQL database. This happens when the `postgres_meta` plugin is enabled and user-supplied search filters are improperly handled. If exploited, this could lead to exposure or modification of sensitive data.

  • Affects Rucio metadata storage.
  • Can expose or modify sensitive data.
  • Requires existing user authentication.

Attack Path

How an attacker could exploit the issue

An authenticated attacker can exploit this SQL injection by sending crafted requests to the DID search endpoint. This allows them to execute arbitrary SQL commands against the Rucio metadata database. The impact can range from data exfiltration and modification to potential code execution depending on database permissions.

  • Requires authenticated user access.
  • Targets the DID search endpoint.
  • `postgres_meta` plugin must be enabled.

Live Threat

Current exploitation, exposure, and threat context

This SQL injection vulnerability in Rucio's DID search endpoint is concerning because it allows any authenticated user to execute arbitrary SQL. While this doesn't immediately pose a public threat, it could allow an insider to access or manipulate sensitive data within an organization's Rucio deployment. The direct interpolation of attacker-controlled data into SQL queries, even with `psycopg3`'s `sql.SQL()`, is a significant flaw.

  • Requires authenticated access.
  • Affects deployments using `postgres_meta`.
  • Exploitable via DID search endpoint.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Rucio to 35.8.5, 38.5.5, 39.4.2, or 40.1.1 to address the SQL injection vulnerability, especially if the `postgres_meta` plugin is in use. If immediate patching is not feasible, isolate affected services or restrict access to the DID search endpoint to mitigate risk.

  • Apply Rucio versions 35.8.5, 38.5.5, 39.4.2, or 40.1.1.
  • Block network access to DID search endpoints.
  • Monitor logs for suspicious SQL queries.

Frequently asked questions

What is Rucio and what is it used for?

Rucio is a data management system used to organize and manage large amounts of scientific data. It helps researchers and organizations track, transfer, and access datasets across distributed storage systems, commonly in scientific or high-performance computing environments. This vulnerability impacts how Rucio interacts with its PostgreSQL metadata database.

What is the weakness class for CVE-2026-29090?

The vulnerability CVE-2026-29090 is classified as a SQL injection (CWE-89). This means that an attacker can manipulate database queries by inserting malicious SQL code, potentially allowing them to access, modify, or delete data stored in the Rucio's PostgreSQL database.

How is the Rucio SQL injection vulnerability triggered?

This vulnerability is triggered when an authenticated Rucio user interacts with the DID search endpoint while the `postgres_meta` plugin is enabled. Attackers can exploit this by crafting specific filter keys and values in their search requests, which are then directly incorporated into SQL commands, bypassing proper sanitization.

Who should care about this Rucio vulnerability?

Organizations using Rucio, especially those with the `postgres_meta` plugin enabled, should be concerned. The Halo Surface Signal indicates this is an unlikely external threat because Rucio typically requires authentication and is often deployed within protected internal networks, limiting direct internet exposure.

What is the first step to respond to this Rucio CVE?

The immediate first step for running Rucio is to update to a fixed version: 35.8.5, 38.5.5, 39.4.2, or 40.1.1. If immediate patching isn't possible, consider isolating the affected Rucio services or restricting access to the DID search endpoint as a temporary mitigation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified