{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/dirac--9.1.0--9.1.10/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DIRAC (\u003e= 6, \u003c 8.0.79)","DIRAC (\u003e= 8.1.0a1, \u003c 9.0.22)","DIRAC (\u003e= 9.1.0, \u003c 9.1.10)"],"_cs_severities":["critical"],"_cs_tags":["RCE","python","web-application","vulnerability","sql-injection","access-control"],"_cs_type":"advisory","_cs_vendors":["DIRACGrid"],"content_html":"\u003cp\u003eA critical remote code execution vulnerability, tracked as CVE-2026-45579, has been identified in the DIRAC RequestManager component. This flaw stems from the \u003ccode\u003eexport_getRequestCountersWeb\u003c/code\u003e function, which is accessible to any authenticated user and processes untrusted input in its \u003ccode\u003egroupingAttribute\u003c/code\u003e parameter. This parameter is then prepended with \u0026quot;Request.\u0026quot; and directly passed to an \u003ccode\u003eeval()\u003c/code\u003e call within \u003ccode\u003eRequestDB.py\u003c/code\u003e if the attribute is unrecognized. This allows an authenticated attacker to inject and execute arbitrary Python code on the DIRAC server. Successful exploitation grants the attacker the ability to run commands as the system user running DIRAC services, enabling full control over the system, including access to sensitive configuration files like \u003ccode\u003edirac.cfg\u003c/code\u003e, database passwords, proxies, and tokens. Attackers could also remove their exploit evidence from local RequestManager logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker accesses the DIRAC web interface or API.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eexport_getRequestCountersWeb\u003c/code\u003e function within the RequestManager as an accessible endpoint.\u003c/li\u003e\n\u003cli\u003eA specially crafted HTTP request is sent to invoke this function, including a malicious \u003ccode\u003egroupingAttribute\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egroupingAttribute\u003c/code\u003e parameter contains Python code designed for arbitrary command execution (e.g., \u003ccode\u003e__import__('os').system('id')\u003c/code\u003e) leveraging dunder methods to access system functions.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eReqManagerHandler.py\u003c/code\u003e component passes the untrusted \u003ccode\u003egroupingAttribute\u003c/code\u003e value to the \u003ccode\u003eRequestDB\u003c/code\u003e database instance.\u003c/li\u003e\n\u003cli\u003eWithin \u003ccode\u003eRequestDB.py\u003c/code\u003e, if the provided \u003ccode\u003egroupingAttribute\u003c/code\u003e is not a recognized grouping string, the system prepends \u0026quot;Request.\u0026quot; to it and executes the resulting string via an \u003ccode\u003eeval()\u003c/code\u003e call.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval()\u003c/code\u003e function executes the attacker's injected Python code with the privileges of the system user running the DIRAC services.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, enabling actions such as retrieving sensitive \u003ccode\u003edirac.cfg\u003c/code\u003e contents, exfiltrating database passwords and tokens, or removing forensic evidence from local RequestManager logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45579 allows any authenticated user to gain arbitrary code execution on the DIRAC server, running commands as the system user. This leads to a full compromise of the DIRAC system, granting the attacker access to highly sensitive information such as the \u003ccode\u003edirac.cfg\u003c/code\u003e file, database passwords, and all stored proxies and tokens. The attacker could also utilize this access to manipulate or remove local log files, hindering incident response and forensic analysis efforts. The scope of impact is broad, encompassing data theft, privilege escalation, and complete control over the compromised DIRAC infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-45579 Exploitation - DIRAC RequestManager RCE\u0026quot; to your SIEM system to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEnsure web server access logs are comprehensively collected and stored, providing the necessary \u003ccode\u003ecs-uri-stem\u003c/code\u003e and \u003ccode\u003ecs-uri-query\u003c/code\u003e fields for the detection rule.\u003c/li\u003e\n\u003cli\u003eImmediately apply the patches to DIRAC versions 8.0.79, 9.0.22, or 9.1.10 as recommended in the advisory to mitigate CVE-2026-45579.\u003c/li\u003e\n\u003cli\u003eImplement rigorous authentication and authorization policies for all users accessing DIRAC systems to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T18:43:03Z","date_published":"2026-07-13T17:23:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dirac-rce-requestmanager/","summary":"A critical remote code execution vulnerability (CVE-2026-45579) in DIRAC's RequestManager allows any authenticated user to execute arbitrary commands or code on the DIRAC server due to the improper use of `eval()` on untrusted input, leading to full system compromise including data exfiltration and log manipulation.","title":"DIRAC Vulnerable to Remote Code Execution via eval on Untrusted Input in RequestManager","url":"https://feed.craftedsignal.io/briefs/2026-07-dirac-rce-requestmanager/"}],"language":"en","title":"CraftedSignal Threat Feed - DIRAC (\u003e= 9.1.0, \u003c 9.1.10)","version":"https://jsonfeed.org/version/1.1"}