CVE-2026-29090

Source
https://cve.org/CVERecord?id=CVE-2026-29090
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29090.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-29090
Aliases
Published
2026-05-06T17:21:24.141Z
Modified
2026-07-08T08:12:26.114665247Z
Severity
  • 9.0 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
Summary
Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
Details

Summary

A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in FilterEngine.create_postgres_query(). This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (GET /dids/<scope>/dids/search). When the postgres_meta metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python .format(), then passed to psycopg3's sql.SQL() which treats the string as trusted SQL syntax.

Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "introduced": "38.6.0"
                },
                {
                    "fixed": "39.4.2"
                },
                {
                    "introduced": "40.0.0"
                },
                {
                    "fixed": "40.1.1"
                }
            ]
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29090.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/rucio/rucio

Affected ranges

Type
GIT
Repo
https://github.com/rucio/rucio
Events
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "1.30.0"
        },
        {
            "fixed": "35.8.5"
        },
        {
            "introduced": "36.0.0"
        },
        {
            "fixed": "38.5.5"
        }
    ]
}

Affected versions

1.*
1.30.0
1.31.0
32.*
32.0.0
32.0.0rc1
32.0.0rc2
33.*
33.0.0
33.0.0rc1
33.0.0rc2
33.0.0rc3
34.*
34.0.0
34.0.0rc1
34.0.0rc2
35.*
35.0.0
35.0.0rc1
35.0.0rc2
35.0.1
35.1.0
35.1.1
35.2.0
35.2.1
35.3.0
35.4.0
35.4.1
35.5.0
35.6.0
35.6.1
35.7.0
35.8.0
35.8.2
35.8.3
35.8.4
36.*
36.0.0
37.*
37.0.0
37.0.0rc1
37.0.0rc2
37.0.0rc3
37.0.0rc4
38.*
38.0.0
38.0.0rc1
38.0.0rc2
38.0.0rc3
38.1.0
38.2.0
38.3.0
38.4.0
38.5.0
38.5.1
38.5.2
38.5.3
38.5.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29090.json"