CVE-2026-29090

UNKNOWN 0.0

Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.

CWE	CWE-89
Vendor	rucio
Product	rucio
Published	May 6, 2026
Last Updated	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for rucio rucio

Be the first to know when new unknown vulnerabilities affecting rucio rucio are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

rucio / rucio

>= 1.30.0, < 35.8.5 >= 35.9.0, < 38.5.5 >= 38.6.0, < 39.4.2 >= 40.0.0, < 40.1.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947