<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>DIRAC (&gt;= 9.1.0, &lt; 9.1.10) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/dirac--9.1.0--9.1.10/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 17:23:02 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/dirac--9.1.0--9.1.10/feed.xml" rel="self" type="application/rss+xml"/><item><title>DIRAC Vulnerable to Remote Code Execution via eval on Untrusted Input in RequestManager</title><link>https://feed.craftedsignal.io/briefs/2026-07-dirac-rce-requestmanager/</link><pubDate>Mon, 13 Jul 2026 17:23:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dirac-rce-requestmanager/</guid><description>A critical remote code execution vulnerability (CVE-2026-45579) in DIRAC's RequestManager allows any authenticated user to execute arbitrary commands or code on the DIRAC server due to the improper use of `eval()` on untrusted input, leading to full system compromise including data exfiltration and log manipulation.</description><content:encoded><![CDATA[<p>A critical remote code execution vulnerability, tracked as CVE-2026-45579, has been identified in the DIRAC RequestManager component. This flaw stems from the <code>export_getRequestCountersWeb</code> function, which is accessible to any authenticated user and processes untrusted input in its <code>groupingAttribute</code> parameter. This parameter is then prepended with &quot;Request.&quot; and directly passed to an <code>eval()</code> call within <code>RequestDB.py</code> if the attribute is unrecognized. This allows an authenticated attacker to inject and execute arbitrary Python code on the DIRAC server. Successful exploitation grants the attacker the ability to run commands as the system user running DIRAC services, enabling full control over the system, including access to sensitive configuration files like <code>dirac.cfg</code>, database passwords, proxies, and tokens. Attackers could also remove their exploit evidence from local RequestManager logs.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker accesses the DIRAC web interface or API.</li>
<li>The attacker identifies the <code>export_getRequestCountersWeb</code> function within the RequestManager as an accessible endpoint.</li>
<li>A specially crafted HTTP request is sent to invoke this function, including a malicious <code>groupingAttribute</code> parameter.</li>
<li>The <code>groupingAttribute</code> parameter contains Python code designed for arbitrary command execution (e.g., <code>__import__('os').system('id')</code>) leveraging dunder methods to access system functions.</li>
<li>The <code>ReqManagerHandler.py</code> component passes the untrusted <code>groupingAttribute</code> value to the <code>RequestDB</code> database instance.</li>
<li>Within <code>RequestDB.py</code>, if the provided <code>groupingAttribute</code> is not a recognized grouping string, the system prepends &quot;Request.&quot; to it and executes the resulting string via an <code>eval()</code> call.</li>
<li>The <code>eval()</code> function executes the attacker's injected Python code with the privileges of the system user running the DIRAC services.</li>
<li>The attacker achieves remote code execution, enabling actions such as retrieving sensitive <code>dirac.cfg</code> contents, exfiltrating database passwords and tokens, or removing forensic evidence from local RequestManager logs.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-45579 allows any authenticated user to gain arbitrary code execution on the DIRAC server, running commands as the system user. This leads to a full compromise of the DIRAC system, granting the attacker access to highly sensitive information such as the <code>dirac.cfg</code> file, database passwords, and all stored proxies and tokens. The attacker could also utilize this access to manipulate or remove local log files, hindering incident response and forensic analysis efforts. The scope of impact is broad, encompassing data theft, privilege escalation, and complete control over the compromised DIRAC infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-45579 Exploitation - DIRAC RequestManager RCE&quot; to your SIEM system to identify exploitation attempts.</li>
<li>Ensure web server access logs are comprehensively collected and stored, providing the necessary <code>cs-uri-stem</code> and <code>cs-uri-query</code> fields for the detection rule.</li>
<li>Immediately apply the patches to DIRAC versions 8.0.79, 9.0.22, or 9.1.10 as recommended in the advisory to mitigate CVE-2026-45579.</li>
<li>Implement rigorous authentication and authorization policies for all users accessing DIRAC systems to reduce the attack surface.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>RCE</category><category>python</category><category>web-application</category><category>vulnerability</category><category>sql-injection</category><category>access-control</category></item></channel></rss>