{"id":"CVE-2026-29090","summary":"Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database","details":"### Summary\n\nA SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/\u003cscope\u003e/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. \n\nDepending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.","aliases":["GHSA-6j7p-qjhg-9947","PYSEC-2026-527"],"modified":"2026-07-08T08:12:26.114665247Z","published":"2026-05-06T17:21:24.141Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29090.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"38.6.0"},{"fixed":"39.4.2"},{"introduced":"40.0.0"},{"fixed":"40.1.1"}]}],"cna_assigner":"GitHub_M","cwe_ids":["CWE-89"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/29xxx/CVE-2026-29090.json"},{"type":"ADVISORY","url":"https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-29090"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rucio/rucio","events":[{"introduced":"0c04740b4a15b6a37dcc8430c66473aff97226e8"},{"fixed":"0e7ce8e9ce3654f9e3b92a8b53a1717e6f9a2b9e"},{"introduced":"46cc73438ba4042ac937fff1c5a0dfabc83e91f3"},{"fixed":"e8c591df9aa46ed25bc1683ab0110a44981c5582"}],"database_specific":{"cpe":"cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"1.30.0"},{"fixed":"35.8.5"},{"introduced":"36.0.0"},{"fixed":"38.5.5"}]}}],"versions":["35.8.4","38.5.4","35.8.3","35.8.2","38.5.3","38.5.2","38.5.1","38.5.0","38.4.0","38.3.0","38.2.0","35.8.0","38.1.0","38.0.0","38.0.0rc3","38.0.0rc2","38.0.0rc1","37.0.0","37.0.0rc4","37.0.0rc3","37.0.0rc2","37.0.0rc1","35.7.0","35.6.1","36.0.0","35.6.0","35.5.0","35.4.1","35.4.0","35.3.0","35.2.1","35.2.0","35.1.1","35.1.0","35.0.1","35.0.0","35.0.0rc2","35.0.0rc1","34.0.0","34.0.0rc2","34.0.0rc1","33.0.0","33.0.0rc3","33.0.0rc2","33.0.0rc1","32.0.0","32.0.0rc2","32.0.0rc1","1.31.0","1.30.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-29090.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"}]}