Rucio SQL Injection Vulnerability in DID Search API

A SQL injection vulnerability (CVE-2026-29080) has been identified in Rucio’s FilterEngine.create_sqla_query function, specifically affecting Oracle database backends. The vulnerability resides in the DID search API (GET /dids/<scope>/dids/search) and allows any authenticated Rucio user to execute arbitrary SQL commands. This is due to attacker-controlled filter keys and values being directly interpolated into sqlalchemy.text via Python’s str.format, bypassing proper parameterization. The issue affects Rucio versions >= 1.27.0 and < 35.8.5, versions >= 36.0.0 and < 38.5.5, versions >= 39.0.0 and < 39.4.2, and versions >= 40.0.0 and < 40.1.1 when using the default json_meta metadata plugin configuration with an Oracle database. Successful exploitation can lead to the extraction of sensitive data, including authentication tokens, password hashes, and managed data identifiers, as well as potential data modification or remote code execution.

Attack Chain

1. An attacker authenticates to the Rucio system using any supported authentication method (userpass, x509, OIDC, SAML, SSH, GSS).
2. The attacker crafts a malicious HTTP GET request to the /dids/<scope>/dids/search endpoint.
3. The crafted request includes SQL injection payloads within the filter keys or values of the request parameters.
4. Rucio’s FilterEngine.create_sqla_query function processes the request and incorrectly interpolates the attacker-controlled input directly into a SQL query string.
5. The malicious SQL query is executed against the Oracle backend database.
6. The attacker extracts sensitive information from the database, such as user credentials, authentication tokens, and data management policies.
7. The attacker uses stolen authentication tokens to impersonate other users and gain unauthorized access to data.
8. The attacker modifies data management rules or inserts malicious data into the Rucio system.

Impact

Successful exploitation of this vulnerability allows attackers to gain full read access to the Rucio database, potentially affecting all Oracle-based Rucio deployments using the default json_meta configuration. Attackers can extract sensitive information, including password hashes, authentication tokens, and storage endpoint credentials. The extracted password hashes, combined with weak hashing algorithms (single-iteration SHA-256), can be cracked relatively easily. Stolen authentication tokens enable immediate session hijacking. Furthermore, attackers can modify data or potentially achieve remote code execution via Oracle features like UTL_HTTP or Java stored procedures. This can lead to data breaches, service disruption, and complete system compromise.

Recommendation

• Upgrade Rucio to a patched version >= 35.8.5, >= 38.5.5, >= 39.4.2, or >= 40.1.1 to remediate CVE-2026-29080.
• For Oracle deployments, review and harden database user privileges to limit the impact of potential SQL injection attacks.
• Monitor Rucio web server logs for suspicious requests to the /dids/<scope>/dids/search endpoint containing potentially malicious SQL syntax. Deploy the Sigma rule Detect Rucio SQL Injection Attempt via DID Search API to detect this behavior.
• Implement enhanced password hashing algorithms (e.g., bcrypt, Argon2) to mitigate the impact of password hash extraction.