DIRAC Vulnerable to Remote Code Execution via eval on Untrusted Input in RequestManager
A critical remote code execution vulnerability (CVE-2026-45579) in DIRAC's RequestManager allows any authenticated user to execute arbitrary commands or code on the DIRAC server due to the improper use of `eval()` on untrusted input, leading to full system compromise including data exfiltration and log manipulation.
What's new
- l2 added detection rule: Detect DIRAC PilotManager SQL Injection Attempts Jul 13, 18:43 via ghsa
A critical remote code execution vulnerability, tracked as CVE-2026-45579, has been identified in the DIRAC RequestManager component. This flaw stems from the export_getRequestCountersWeb function, which is accessible to any authenticated user and processes untrusted input in its groupingAttribute parameter. This parameter is then prepended with "Request." and directly passed to an eval() call within RequestDB.py if the attribute is unrecognized. This allows an authenticated attacker to inject and execute arbitrary Python code on the DIRAC server. Successful exploitation grants the attacker the ability to run commands as the system user running DIRAC services, enabling full control over the system, including access to sensitive configuration files like dirac.cfg, database passwords, proxies, and tokens. Attackers could also remove their exploit evidence from local RequestManager logs.
Attack Chain
- An authenticated attacker accesses the DIRAC web interface or API.
- The attacker identifies the
export_getRequestCountersWebfunction within the RequestManager as an accessible endpoint. - A specially crafted HTTP request is sent to invoke this function, including a malicious
groupingAttributeparameter. - The
groupingAttributeparameter contains Python code designed for arbitrary command execution (e.g.,__import__('os').system('id')) leveraging dunder methods to access system functions. - The
ReqManagerHandler.pycomponent passes the untrustedgroupingAttributevalue to theRequestDBdatabase instance. - Within
RequestDB.py, if the providedgroupingAttributeis not a recognized grouping string, the system prepends "Request." to it and executes the resulting string via aneval()call. - The
eval()function executes the attacker's injected Python code with the privileges of the system user running the DIRAC services. - The attacker achieves remote code execution, enabling actions such as retrieving sensitive
dirac.cfgcontents, exfiltrating database passwords and tokens, or removing forensic evidence from local RequestManager logs.
Impact
Successful exploitation of CVE-2026-45579 allows any authenticated user to gain arbitrary code execution on the DIRAC server, running commands as the system user. This leads to a full compromise of the DIRAC system, granting the attacker access to highly sensitive information such as the dirac.cfg file, database passwords, and all stored proxies and tokens. The attacker could also utilize this access to manipulate or remove local log files, hindering incident response and forensic analysis efforts. The scope of impact is broad, encompassing data theft, privilege escalation, and complete control over the compromised DIRAC infrastructure.
Recommendation
- Deploy the Sigma rule "Detects CVE-2026-45579 Exploitation - DIRAC RequestManager RCE" to your SIEM system to identify exploitation attempts.
- Ensure web server access logs are comprehensively collected and stored, providing the necessary
cs-uri-stemandcs-uri-queryfields for the detection rule. - Immediately apply the patches to DIRAC versions 8.0.79, 9.0.22, or 9.1.10 as recommended in the advisory to mitigate CVE-2026-45579.
- Implement rigorous authentication and authorization policies for all users accessing DIRAC systems to reduce the attack surface.
Detection coverage 2
Detects CVE-2026-45579 Exploitation - DIRAC RequestManager RCE
criticalDetects CVE-2026-45579 exploitation - HTTP requests targeting the export_getRequestCountersWeb function with suspicious characters in groupingAttribute indicating remote code execution via eval on untrusted input.
Detect DIRAC PilotManager SQL Injection Attempts
highDetects suspicious patterns indicative of SQL injection attempts against the DIRAC PilotManager service, targeting vulnerable functions identified in GHSA-7xw9-549r-8jrc.
Detection queries are available on the platform. Get full rules →