Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-6j7p-qjhg-9947: Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

0
Critical
Published: 05/06/2026 (05/06/2026, 16:44:07 UTC)
Source: GCVE Database
Product: rucio

Description

Rucio contains a critical SQL injection vulnerability in the FilterEngine PostgreSQL query builder used by the DID search API when the postgres_meta plugin is configured. Authenticated users can inject arbitrary SQL via filter keys and values that are unsafely interpolated into raw SQL statements. This allows full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability arises from direct string formatting of attacker-controlled input without proper sanitization or parameterization. Exploitation requires the postgres_meta plugin to be explicitly enabled and valid user authentication.

CVSS v4.0

Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
Low
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
High
Subsq. Integrity
High
Subsq. Availability
High
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected software

PyPIghsa
rucio
Affected versions
>=1.30.0 <35.8.5
PyPIghsa
rucio
Affected versions
>=36.0.0 <38.5.5
PyPIghsa
rucio
Affected versions
>=39.0.0 <39.4.2
PyPIghsa
rucio
Affected versions
>=40.0.0 <40.1.1

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 23:56:10 UTC

Technical Analysis

CVE-2026-29090 is a critical SQL injection vulnerability in Rucio's FilterEngine component, specifically in the create_postgres_query() method used by the postgres_meta metadata plugin. The vulnerability occurs because filter keys and values derived from HTTP query parameters are directly interpolated into raw SQL strings via Python's str.format() without sanitization. The resulting SQL string is then wrapped as trusted SQL syntax and executed, enabling attackers with valid authentication to execute arbitrary SQL commands against the PostgreSQL metadata database. This can lead to full database compromise, including data exfiltration, modification, and possible remote code execution via PostgreSQL's COPY ... FROM PROGRAM feature. The vulnerability affects Rucio versions >=1.30.0 <35.8.5, >=36.0.0 <38.5.5, >=39.0.0 <39.4.2, and >=40.0.0 <40.1.1 when the postgres_meta plugin is configured. The default metadata plugin (json_meta) is not vulnerable. No effective input validation or sanitization is performed on filter keys or values, and the postgres_meta plugin accepts any filter key unconditionally.

Potential Impact

An authenticated Rucio user can exploit this vulnerability to execute arbitrary SQL commands on the PostgreSQL metadata database. This can result in complete database compromise including unauthorized data access, data modification, and deletion. Additionally, the attacker may achieve remote code execution on the database server via PostgreSQL features like COPY ... FROM PROGRAM. The impact is critical due to the potential for full system compromise and data breach.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid enabling or disable the postgres_meta metadata plugin if possible. Restrict access to the DID search API to trusted users only. Monitor vendor communications for updates and apply official patches promptly once released.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-6j7p-qjhg-9947
Osv Schema Version
1.4.0
Aliases
["CVE-2026-29090"]
Ecosystems
["PyPI"]
Database Specific Severity
CRITICAL
Cvss Version
4.0

Threat ID: 6a4452ee27e9c797198ec423

Added to database: 06/30/2026, 23:36:14 UTC

Last enriched: 06/30/2026, 23:56:10 UTC

Last updated: 06/30/2026, 23:56:10 UTC

Views: 3

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses