CVE-2026-29080 Overview
CVE-2026-29080 is a SQL injection vulnerability in the Rucio scientific data management system. The flaw resides in the FilterEngine.create_sqla_query() method within lib/rucio/core/did_meta_plugins/filter_engine.py. Any authenticated Rucio user can inject arbitrary SQL through the Data Identifier (DID) search endpoint GET /dids/<scope>/dids/search. The vulnerability only impacts Oracle backend deployments using the default json_meta plugin. PostgreSQL and MySQL deployments are not affected. Exploitation enables full database compromise, including extraction of authentication tokens, password hashes, and managed data identifiers.
Critical Impact
An authenticated attacker can execute arbitrary SQL against the Oracle backend, exposing tables such as identities, tokens, accounts, rse_settings, and rules, and potentially modifying database contents.
Affected Products
- Rucio versions 1.27.0 and later, before 35.8.5
- Rucio 38.x before 38.5.5 and 39.x before 39.4.2
- Rucio 40.x before 40.1.1 (Oracle deployments using the default json_meta plugin)
Discovery Timeline
- 2026-05-06 - CVE-2026-29080 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-29080
Vulnerability Analysis
The vulnerability is a classic SQL injection [CWE-89] caused by string-formatted SQL construction. When the database dialect is Oracle, create_sqla_query() builds filter expressions for JSON metadata columns using sqlalchemy.text() combined with Python .format(). Both the key and value parameters are attacker-controlled strings derived directly from HTTP query parameters. The text() function emits a raw SQL fragment and does not parameterize or escape its contents. Filter inputs are interpolated into the final query before execution, bypassing SQLAlchemy's bind-parameter protections.
Root Cause
The root cause is unsafe SQL construction in the Oracle code path of FilterEngine.create_sqla_query(). Developers used Python string formatting to embed user-supplied filter keys and values into a text() SQL expression. SQLAlchemy treats text() content as trusted SQL, so no parameter binding occurs. The PostgreSQL and MySQL branches use safe query construction, which is why those backends are unaffected.
Attack Vector
An attacker authenticates to the Rucio server using any valid account. The attacker then issues a crafted request to GET /dids/<scope>/dids/search containing manipulated JSON metadata filter keys or values. These values are interpolated into the Oracle SQL fragment, allowing UNION queries, subqueries, or DML statements. The attacker can read sensitive tables containing tokens and password hashes, enumerate all DIDs, or modify managed data. Refer to the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2026-29080
Indicators of Compromise
- Anomalous GET /dids/<scope>/dids/search requests containing SQL keywords such as UNION, SELECT, --, or /* in filter parameters.
- Unexpected access patterns against Oracle tables identities, tokens, accounts, rse_settings, or rules.
- Authenticated Rucio sessions issuing high volumes of DID search requests with unusual metadata filter keys.
Detection Strategies
- Inspect Rucio server access logs for filter parameters containing SQL metacharacters or Oracle-specific syntax such as DBMS_, UTL_, or DUAL.
- Enable Oracle database auditing on the Rucio schema and alert on queries originating from the Rucio service that touch authentication tables.
- Correlate web server logs with database query logs to identify SQL fragments traceable to user-supplied filter inputs.
Monitoring Recommendations
- Forward Rucio API logs and Oracle audit logs to a centralized analytics platform for correlation and retention.
- Alert on authenticated Rucio accounts that suddenly query metadata endpoints with non-standard filter keys.
- Track failed query patterns from the Rucio service account, which often indicate SQL injection probing.
How to Mitigate CVE-2026-29080
Immediate Actions Required
- Upgrade Rucio to version 35.8.5, 38.5.5, 39.4.2, or 40.1.1 depending on the deployed branch.
- Rotate all Rucio authentication tokens and reset account credentials, assuming token tables may have been exposed.
- Audit Oracle database logs for evidence of injection attempts since the affected versions were deployed.
Patch Information
The Rucio maintainers fixed this issue in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. Patched releases replace string-formatted SQL with properly parameterized queries in the Oracle code path of FilterEngine.create_sqla_query(). Patch details and commit references are available in the Rucio GitHub Security Advisory GHSA-vjr5-c9qv-hgm3.
Workarounds
- Disable the json_meta DID metadata plugin on Oracle deployments until upgrades are applied.
- Restrict access to the /dids/<scope>/dids/search endpoint at a reverse proxy or WAF, rejecting requests with SQL metacharacters in filter parameters.
- Migrate the Rucio metadata backend to PostgreSQL or MySQL if upgrading is not immediately feasible, since those dialects are not affected.
# Configuration example: upgrade Rucio server via pip
pip install --upgrade 'rucio==40.1.1'
# Restart the Rucio server after upgrade
systemctl restart httpd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
