CVE-2026-29090— Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-29090
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
Source: NVD (National Vulnerability Database)
Vulnerability Description
### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Rucio SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Rucio是rucio开源的一个科学数据管理工具。 Rucio存在SQL注入漏洞,该漏洞源于FilterEngine.create_postgres_query方法中SQL注入,可能导致任何经过身份验证的Rucio用户通过DID搜索端点对PostgreSQL元数据数据库执行任意SQL,暴露敏感表、修改或删除元数据、访问服务器端文件或通过PostgreSQL功能实现代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-29090
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-29090
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: rucio
- CVE-2026-29080
Rucio SQL Injection in FilterEngine Oracle JSON Path via DID - CVE-2026-25736
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerab - CVE-2026-25735
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerab - CVE-2026-25734
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Met - CVE-2026-25733
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS)
Same vendor: rucio
- CVE-2026-29080
Rucio SQL Injection in FilterEngine Oracle JSON Path via DID - CVE-2026-25736
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerab - CVE-2026-25735
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerab - CVE-2026-25734
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Met - CVE-2026-25733
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS)
Same weakness: CWE-89
- CVE-2021-47941
WordPress Plugin Survey & Poll 1.5.7.3 SQL Injection via sss - CVE-2021-47930
Balbooa Joomla Forms Builder 2.0.6 SQL Injection Unauthentic - CVE-2021-47928
Opencart TMD Vendor System 3.x Blind SQL Injection via produ - CVE-2026-8231
CodeAstro Online Catering Ordering System deleteorder.php sq - CVE-2025-14179
SQL injection in pdo_firebird via NUL bytes in quoted string
V. Comments for CVE-2026-29090
No comments yet