GHSA-6j7p-qjhg-9947: Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
Rucio contains a critical SQL injection vulnerability in the FilterEngine PostgreSQL query builder used by the DID search API when the postgres_meta plugin is configured. Authenticated users can inject arbitrary SQL via filter keys and values that are unsafely interpolated into raw SQL statements. This allows full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability arises from direct string formatting of attacker-controlled input without proper sanitization or parameterization. Exploitation requires the postgres_meta plugin to be explicitly enabled and valid user authentication.
AI Analysis
Technical Summary
CVE-2026-29090 is a critical SQL injection vulnerability in Rucio's FilterEngine component, specifically in the create_postgres_query() method used by the postgres_meta metadata plugin. The vulnerability occurs because filter keys and values derived from HTTP query parameters are directly interpolated into raw SQL strings via Python's str.format() without sanitization. The resulting SQL string is then wrapped as trusted SQL syntax and executed, enabling attackers with valid authentication to execute arbitrary SQL commands against the PostgreSQL metadata database. This can lead to full database compromise, including data exfiltration, modification, and possible remote code execution via PostgreSQL's COPY ... FROM PROGRAM feature. The vulnerability affects Rucio versions >=1.30.0 <35.8.5, >=36.0.0 <38.5.5, >=39.0.0 <39.4.2, and >=40.0.0 <40.1.1 when the postgres_meta plugin is configured. The default metadata plugin (json_meta) is not vulnerable. No effective input validation or sanitization is performed on filter keys or values, and the postgres_meta plugin accepts any filter key unconditionally.
Potential Impact
An authenticated Rucio user can exploit this vulnerability to execute arbitrary SQL commands on the PostgreSQL metadata database. This can result in complete database compromise including unauthorized data access, data modification, and deletion. Additionally, the attacker may achieve remote code execution on the database server via PostgreSQL features like COPY ... FROM PROGRAM. The impact is critical due to the potential for full system compromise and data breach.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid enabling or disable the postgres_meta metadata plugin if possible. Restrict access to the DID search API to trusted users only. Monitor vendor communications for updates and apply official patches promptly once released.
GHSA-6j7p-qjhg-9947: Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API
Description
Rucio contains a critical SQL injection vulnerability in the FilterEngine PostgreSQL query builder used by the DID search API when the postgres_meta plugin is configured. Authenticated users can inject arbitrary SQL via filter keys and values that are unsafely interpolated into raw SQL statements. This allows full database compromise including data exfiltration, modification, and potential remote code execution. The vulnerability arises from direct string formatting of attacker-controlled input without proper sanitization or parameterization. Exploitation requires the postgres_meta plugin to be explicitly enabled and valid user authentication.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-29090 is a critical SQL injection vulnerability in Rucio's FilterEngine component, specifically in the create_postgres_query() method used by the postgres_meta metadata plugin. The vulnerability occurs because filter keys and values derived from HTTP query parameters are directly interpolated into raw SQL strings via Python's str.format() without sanitization. The resulting SQL string is then wrapped as trusted SQL syntax and executed, enabling attackers with valid authentication to execute arbitrary SQL commands against the PostgreSQL metadata database. This can lead to full database compromise, including data exfiltration, modification, and possible remote code execution via PostgreSQL's COPY ... FROM PROGRAM feature. The vulnerability affects Rucio versions >=1.30.0 <35.8.5, >=36.0.0 <38.5.5, >=39.0.0 <39.4.2, and >=40.0.0 <40.1.1 when the postgres_meta plugin is configured. The default metadata plugin (json_meta) is not vulnerable. No effective input validation or sanitization is performed on filter keys or values, and the postgres_meta plugin accepts any filter key unconditionally.
Potential Impact
An authenticated Rucio user can exploit this vulnerability to execute arbitrary SQL commands on the PostgreSQL metadata database. This can result in complete database compromise including unauthorized data access, data modification, and deletion. Additionally, the attacker may achieve remote code execution on the database server via PostgreSQL features like COPY ... FROM PROGRAM. The impact is critical due to the potential for full system compromise and data breach.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid enabling or disable the postgres_meta metadata plugin if possible. Restrict access to the DID search API to trusted users only. Monitor vendor communications for updates and apply official patches promptly once released.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-6j7p-qjhg-9947
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-29090"]
- Ecosystems
- ["PyPI"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 4.0
Threat ID: 6a4452ee27e9c797198ec423
Added to database: 06/30/2026, 23:36:14 UTC
Last enriched: 06/30/2026, 23:56:10 UTC
Last updated: 06/30/2026, 23:56:10 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.