CVE-2026-29090 Overview
CVE-2026-29090 is a SQL injection vulnerability in Rucio, a scientific data management framework used for distributed data orchestration. The flaw resides in FilterEngine.create_postgres_query() and affects Rucio versions 1.30.0 and later, before 35.8.5, 38.5.5, 39.4.2, and 40.1.1. Any authenticated Rucio user can execute arbitrary SQL against the PostgreSQL metadata database through the Data Identifier (DID) search endpoint when the postgres_meta metadata plugin is enabled. The vulnerability is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated attackers can read, modify, or delete metadata, access server-side files, and potentially achieve code execution via PostgreSQL COPY ... FROM PROGRAM.
Affected Products
- Rucio versions 1.30.0 through 35.8.4
- Rucio versions 36.x through 38.5.4, 39.x through 39.4.1
- Rucio versions 40.x before 40.1.1 (deployments using the postgres_meta metadata plugin)
Discovery Timeline
- 2026-05-06 - CVE-2026-29090 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-29090
Vulnerability Analysis
Rucio exposes a DID search endpoint at GET /dids/<scope>/dids/search that accepts filter keys and values from authenticated callers. When the postgres_meta metadata plugin is configured, these caller-controlled inputs flow into FilterEngine.create_postgres_query(). The function builds raw SQL strings using Python's str.format() and then wraps the resulting string in psycopg3's sql.SQL(). Because sql.SQL() treats its argument as trusted SQL syntax, the unsanitized filter inputs become part of the query text rather than parameters.
The consequences scale with the database role granted to the Rucio service account. An attacker can enumerate and exfiltrate sensitive tables, alter or destroy metadata records, read files via pg_read_server_files, and reach command execution through COPY ... FROM PROGRAM when superuser privileges are present.
Root Cause
The root cause is improper neutralization of user-supplied input during SQL construction. Filter keys and values are concatenated into the query template through .format() rather than supplied as bound parameters. Wrapping the resulting string with sql.SQL() bypasses the parameter-binding safeguards that psycopg3 provides for untrusted data.
Attack Vector
The attack vector is network-based and requires only a low-privileged authenticated Rucio account. The attacker submits crafted filter keys or values to the DID search endpoint. The injected SQL fragments execute with the privileges of the Rucio database service account against the PostgreSQL metadata database. No user interaction is required.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-6j7p-qjhg-9947 for technical details.
Detection Methods for CVE-2026-29090
Indicators of Compromise
- Requests to GET /dids/<scope>/dids/search containing SQL meta-characters such as single quotes, semicolons, UNION, --, or /* in filter keys or values.
- PostgreSQL log entries showing unexpected statements originating from the Rucio service account, particularly COPY, pg_read_server_files, or DDL operations.
- New or unusual child processes spawned by the PostgreSQL server, indicative of COPY ... FROM PROGRAM execution.
Detection Strategies
- Enable PostgreSQL log_statement = 'all' on Rucio metadata databases and alert on syntax patterns inconsistent with the application's expected ORM-generated queries.
- Inspect Rucio web server access logs for filter parameters containing SQL keywords, encoded payloads, or abnormal length on the DID search endpoint.
- Correlate authenticated user identity with anomalous query patterns to identify abuse of low-privileged accounts.
Monitoring Recommendations
- Monitor outbound network connections and process creation events on the PostgreSQL host to detect post-exploitation activity from COPY ... FROM PROGRAM.
- Track schema changes, mass record deletions, or large result-set reads against Rucio metadata tables.
- Alert on any use of PostgreSQL superuser functions by the Rucio service role.
How to Mitigate CVE-2026-29090
Immediate Actions Required
- Upgrade Rucio to a fixed release: 35.8.5, 38.5.5, 39.4.2, or 40.1.1, depending on the deployed major version.
- If immediate patching is not possible, disable the postgres_meta metadata plugin until the upgrade is applied.
- Review and reduce the privileges of the PostgreSQL role used by Rucio so that it cannot execute COPY ... FROM PROGRAM or read server files.
- Rotate any database credentials and audit metadata tables for unauthorized modifications.
Patch Information
The Rucio maintainers fixed the issue in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1. The fix replaces unsafe string interpolation in FilterEngine.create_postgres_query() with parameterized query construction. See the GitHub Security Advisory GHSA-6j7p-qjhg-9947 for the full advisory and patch references.
Workarounds
- Disable the postgres_meta metadata plugin in the Rucio configuration to remove the vulnerable code path.
- Restrict access to the DID search endpoint at the reverse-proxy or ingress layer to trusted clients only.
- Run the Rucio service account as a non-superuser PostgreSQL role with the minimum privileges required for normal operation.
# Configuration example: remove postgres_meta from the metadata plugins list in rucio.cfg
[metadata]
plugins = did_column # remove 'postgres_meta' until patched versions are deployed
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
