CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-29090

### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.001

EPSS Ranking 17.7%

CVSS Severity

CVSS v3 Score 8.8

References

https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947

Products affected by CVE-2026-29090

Cern » Rucio » Version: 1.30.0

cpe:2.3:a:cern:rucio:1.30.0
Cern » Rucio » Version: 1.30.1

cpe:2.3:a:cern:rucio:1.30.1
Cern » Rucio » Version: 1.30.2

cpe:2.3:a:cern:rucio:1.30.2
Cern » Rucio » Version: 1.30.3

cpe:2.3:a:cern:rucio:1.30.3
Cern » Rucio » Version: 1.30.4

cpe:2.3:a:cern:rucio:1.30.4
Cern » Rucio » Version: 1.30.5

cpe:2.3:a:cern:rucio:1.30.5
Cern » Rucio » Version: 1.30.6

cpe:2.3:a:cern:rucio:1.30.6
Cern » Rucio » Version: 1.30.7

cpe:2.3:a:cern:rucio:1.30.7
Cern » Rucio » Version: 1.30.8

cpe:2.3:a:cern:rucio:1.30.8
Cern » Rucio » Version: 1.31.0

cpe:2.3:a:cern:rucio:1.31.0
Cern » Rucio » Version: 1.31.1

cpe:2.3:a:cern:rucio:1.31.1
Cern » Rucio » Version: 1.31.2

cpe:2.3:a:cern:rucio:1.31.2
Cern » Rucio » Version: 1.31.3

cpe:2.3:a:cern:rucio:1.31.3
Cern » Rucio » Version: 1.31.4

cpe:2.3:a:cern:rucio:1.31.4
Cern » Rucio » Version: 1.31.5

cpe:2.3:a:cern:rucio:1.31.5
Cern » Rucio » Version: 1.31.6

cpe:2.3:a:cern:rucio:1.31.6
Cern » Rucio » Version: 1.31.7

cpe:2.3:a:cern:rucio:1.31.7
Cern » Rucio » Version: 32.0.0

cpe:2.3:a:cern:rucio:32.0.0
Cern » Rucio » Version: 32.1.0

cpe:2.3:a:cern:rucio:32.1.0
Cern » Rucio » Version: 32.2.0

cpe:2.3:a:cern:rucio:32.2.0
Cern » Rucio » Version: 32.3.0

cpe:2.3:a:cern:rucio:32.3.0
Cern » Rucio » Version: 32.3.1

cpe:2.3:a:cern:rucio:32.3.1
Cern » Rucio » Version: 32.4.0

cpe:2.3:a:cern:rucio:32.4.0
Cern » Rucio » Version: 32.5.0

cpe:2.3:a:cern:rucio:32.5.0
Cern » Rucio » Version: 32.5.1

cpe:2.3:a:cern:rucio:32.5.1
Cern » Rucio » Version: 32.6.0

cpe:2.3:a:cern:rucio:32.6.0
Cern » Rucio » Version: 32.7.0

cpe:2.3:a:cern:rucio:32.7.0
Cern » Rucio » Version: 32.8.0

cpe:2.3:a:cern:rucio:32.8.0
Cern » Rucio » Version: 32.8.1

cpe:2.3:a:cern:rucio:32.8.1
Cern » Rucio » Version: 32.8.2

cpe:2.3:a:cern:rucio:32.8.2
Cern » Rucio » Version: 32.8.3

cpe:2.3:a:cern:rucio:32.8.3
Cern » Rucio » Version: 32.8.4

cpe:2.3:a:cern:rucio:32.8.4
Cern » Rucio » Version: 32.8.5

cpe:2.3:a:cern:rucio:32.8.5
Cern » Rucio » Version: 32.8.6

cpe:2.3:a:cern:rucio:32.8.6
Cern » Rucio » Version: 33.0.0

cpe:2.3:a:cern:rucio:33.0.0
Cern » Rucio » Version: 33.1.0

cpe:2.3:a:cern:rucio:33.1.0
Cern » Rucio » Version: 33.2.0

cpe:2.3:a:cern:rucio:33.2.0
Cern » Rucio » Version: 33.2.1

cpe:2.3:a:cern:rucio:33.2.1
Cern » Rucio » Version: 33.3.0

cpe:2.3:a:cern:rucio:33.3.0
Cern » Rucio » Version: 33.4.0

cpe:2.3:a:cern:rucio:33.4.0
Cern » Rucio » Version: 33.5.0

cpe:2.3:a:cern:rucio:33.5.0
Cern » Rucio » Version: 33.6.0

cpe:2.3:a:cern:rucio:33.6.0
Cern » Rucio » Version: 33.6.1

cpe:2.3:a:cern:rucio:33.6.1
Cern » Rucio » Version: 34.0.0

cpe:2.3:a:cern:rucio:34.0.0
Cern » Rucio » Version: 34.1.0

cpe:2.3:a:cern:rucio:34.1.0
Cern » Rucio » Version: 34.2.0

cpe:2.3:a:cern:rucio:34.2.0
Cern » Rucio » Version: 34.3.0

cpe:2.3:a:cern:rucio:34.3.0
Cern » Rucio » Version: 34.4.0

cpe:2.3:a:cern:rucio:34.4.0
Cern » Rucio » Version: 34.4.1

cpe:2.3:a:cern:rucio:34.4.1
Cern » Rucio » Version: 34.4.2

cpe:2.3:a:cern:rucio:34.4.2
Cern » Rucio » Version: 34.4.3

cpe:2.3:a:cern:rucio:34.4.3
Cern » Rucio » Version: 34.5.0

cpe:2.3:a:cern:rucio:34.5.0
Cern » Rucio » Version: 34.6.0

cpe:2.3:a:cern:rucio:34.6.0
Cern » Rucio » Version: 35.0.0

cpe:2.3:a:cern:rucio:35.0.0
Cern » Rucio » Version: 35.0.1

cpe:2.3:a:cern:rucio:35.0.1
Cern » Rucio » Version: 35.1.0

cpe:2.3:a:cern:rucio:35.1.0
Cern » Rucio » Version: 35.1.1

cpe:2.3:a:cern:rucio:35.1.1
Cern » Rucio » Version: 35.2.0

cpe:2.3:a:cern:rucio:35.2.0
Cern » Rucio » Version: 35.2.1

cpe:2.3:a:cern:rucio:35.2.1
Cern » Rucio » Version: 35.3.0

cpe:2.3:a:cern:rucio:35.3.0
Cern » Rucio » Version: 35.4.0

cpe:2.3:a:cern:rucio:35.4.0
Cern » Rucio » Version: 35.4.1

cpe:2.3:a:cern:rucio:35.4.1
Cern » Rucio » Version: 35.5.0

cpe:2.3:a:cern:rucio:35.5.0
Cern » Rucio » Version: 35.6.0

cpe:2.3:a:cern:rucio:35.6.0
Cern » Rucio » Version: 35.6.1

cpe:2.3:a:cern:rucio:35.6.1
Cern » Rucio » Version: 35.7.0

cpe:2.3:a:cern:rucio:35.7.0
Cern » Rucio » Version: 35.8.0

cpe:2.3:a:cern:rucio:35.8.0
Cern » Rucio » Version: 35.8.1

cpe:2.3:a:cern:rucio:35.8.1
Cern » Rucio » Version: 35.8.2

cpe:2.3:a:cern:rucio:35.8.2
Cern » Rucio » Version: 35.8.3

cpe:2.3:a:cern:rucio:35.8.3
Cern » Rucio » Version: 35.8.4

cpe:2.3:a:cern:rucio:35.8.4
Cern » Rucio » Version: 36.0.0

cpe:2.3:a:cern:rucio:36.0.0
Cern » Rucio » Version: 36.1.0

cpe:2.3:a:cern:rucio:36.1.0
Cern » Rucio » Version: 36.2.0

cpe:2.3:a:cern:rucio:36.2.0
Cern » Rucio » Version: 36.3.0

cpe:2.3:a:cern:rucio:36.3.0
Cern » Rucio » Version: 36.4.0

cpe:2.3:a:cern:rucio:36.4.0
Cern » Rucio » Version: 36.5.0

cpe:2.3:a:cern:rucio:36.5.0
Cern » Rucio » Version: 37.0.0

cpe:2.3:a:cern:rucio:37.0.0
Cern » Rucio » Version: 37.1.0

cpe:2.3:a:cern:rucio:37.1.0
Cern » Rucio » Version: 37.2.0

cpe:2.3:a:cern:rucio:37.2.0
Cern » Rucio » Version: 37.3.0

cpe:2.3:a:cern:rucio:37.3.0
Cern » Rucio » Version: 37.4.0

cpe:2.3:a:cern:rucio:37.4.0
Cern » Rucio » Version: 37.5.0

cpe:2.3:a:cern:rucio:37.5.0
Cern » Rucio » Version: 37.6.0

cpe:2.3:a:cern:rucio:37.6.0
Cern » Rucio » Version: 37.7.0

cpe:2.3:a:cern:rucio:37.7.0
Cern » Rucio » Version: 37.7.1

cpe:2.3:a:cern:rucio:37.7.1
Cern » Rucio » Version: 38.0.0

cpe:2.3:a:cern:rucio:38.0.0
Cern » Rucio » Version: 38.1.0

cpe:2.3:a:cern:rucio:38.1.0
Cern » Rucio » Version: 38.2.0

cpe:2.3:a:cern:rucio:38.2.0
Cern » Rucio » Version: 38.3.0

cpe:2.3:a:cern:rucio:38.3.0
Cern » Rucio » Version: 38.4.0

cpe:2.3:a:cern:rucio:38.4.0
Cern » Rucio » Version: 38.5.0

cpe:2.3:a:cern:rucio:38.5.0
Cern » Rucio » Version: 38.5.1

cpe:2.3:a:cern:rucio:38.5.1
Cern » Rucio » Version: 38.5.2

cpe:2.3:a:cern:rucio:38.5.2
Cern » Rucio » Version: 38.5.3

cpe:2.3:a:cern:rucio:38.5.3
Cern » Rucio » Version: 38.5.4

cpe:2.3:a:cern:rucio:38.5.4
Cern » Rucio » Version: 39.0.0

cpe:2.3:a:cern:rucio:39.0.0
Cern » Rucio » Version: 39.1.0

cpe:2.3:a:cern:rucio:39.1.0
Cern » Rucio » Version: 39.2.0

cpe:2.3:a:cern:rucio:39.2.0
Cern » Rucio » Version: 39.3.0

cpe:2.3:a:cern:rucio:39.3.0
Cern » Rucio » Version: 39.3.1

cpe:2.3:a:cern:rucio:39.3.1
Cern » Rucio » Version: 39.4.0

cpe:2.3:a:cern:rucio:39.4.0
Cern » Rucio » Version: 39.4.1

cpe:2.3:a:cern:rucio:39.4.1
Cern » Rucio » Version: 40.0.0

cpe:2.3:a:cern:rucio:40.0.0
Cern » Rucio » Version: 40.1.0

cpe:2.3:a:cern:rucio:40.1.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-29090

Products

Pricing

Contact Us