{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-29080/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["rucio"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","rucio","cve-2026-29080","web-application"],"_cs_type":"advisory","_cs_vendors":["Oracle","pip"],"content_html":"\u003cp\u003eA SQL injection vulnerability (CVE-2026-29080) has been identified in Rucio\u0026rsquo;s \u003ccode\u003eFilterEngine.create_sqla_query\u003c/code\u003e function, specifically affecting Oracle database backends. The vulnerability resides in the DID search API (\u003ccode\u003eGET /dids/\u0026lt;scope\u0026gt;/dids/search\u003c/code\u003e) and allows any authenticated Rucio user to execute arbitrary SQL commands. This is due to attacker-controlled filter keys and values being directly interpolated into \u003ccode\u003esqlalchemy.text\u003c/code\u003e via Python\u0026rsquo;s \u003ccode\u003estr.format\u003c/code\u003e, bypassing proper parameterization. The issue affects Rucio versions \u0026gt;= 1.27.0 and \u0026lt; 35.8.5, versions \u0026gt;= 36.0.0 and \u0026lt; 38.5.5, versions \u0026gt;= 39.0.0 and \u0026lt; 39.4.2, and versions \u0026gt;= 40.0.0 and \u0026lt; 40.1.1 when using the default \u003ccode\u003ejson_meta\u003c/code\u003e metadata plugin configuration with an Oracle database. Successful exploitation can lead to the extraction of sensitive data, including authentication tokens, password hashes, and managed data identifiers, as well as potential data modification or remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Rucio system using any supported authentication method (userpass, x509, OIDC, SAML, SSH, GSS).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request to the \u003ccode\u003e/dids/\u0026lt;scope\u0026gt;/dids/search\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted request includes SQL injection payloads within the filter keys or values of the request parameters.\u003c/li\u003e\n\u003cli\u003eRucio\u0026rsquo;s \u003ccode\u003eFilterEngine.create_sqla_query\u003c/code\u003e function processes the request and incorrectly interpolates the attacker-controlled input directly into a SQL query string.\u003c/li\u003e\n\u003cli\u003eThe malicious SQL query is executed against the Oracle backend database.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information from the database, such as user credentials, authentication tokens, and data management policies.\u003c/li\u003e\n\u003cli\u003eThe attacker uses stolen authentication tokens to impersonate other users and gain unauthorized access to data.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies data management rules or inserts malicious data into the Rucio system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to gain full read access to the Rucio database, potentially affecting all Oracle-based Rucio deployments using the default \u003ccode\u003ejson_meta\u003c/code\u003e configuration. Attackers can extract sensitive information, including password hashes, authentication tokens, and storage endpoint credentials. The extracted password hashes, combined with weak hashing algorithms (single-iteration SHA-256), can be cracked relatively easily. Stolen authentication tokens enable immediate session hijacking. Furthermore, attackers can modify data or potentially achieve remote code execution via Oracle features like \u003ccode\u003eUTL_HTTP\u003c/code\u003e or Java stored procedures. This can lead to data breaches, service disruption, and complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Rucio to a patched version \u0026gt;= 35.8.5, \u0026gt;= 38.5.5, \u0026gt;= 39.4.2, or \u0026gt;= 40.1.1 to remediate CVE-2026-29080.\u003c/li\u003e\n\u003cli\u003eFor Oracle deployments, review and harden database user privileges to limit the impact of potential SQL injection attacks.\u003c/li\u003e\n\u003cli\u003eMonitor Rucio web server logs for suspicious requests to the \u003ccode\u003e/dids/\u0026lt;scope\u0026gt;/dids/search\u003c/code\u003e endpoint containing potentially malicious SQL syntax. Deploy the Sigma rule \u003ccode\u003eDetect Rucio SQL Injection Attempt via DID Search API\u003c/code\u003e to detect this behavior.\u003c/li\u003e\n\u003cli\u003eImplement enhanced password hashing algorithms (e.g., bcrypt, Argon2) to mitigate the impact of password hash extraction.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-07T12:00:00Z","date_published":"2026-05-07T12:00:00Z","id":"/briefs/2026-05-rucio-sql-injection/","summary":"A SQL injection vulnerability exists in the Oracle path of `FilterEngine.create_sqla_query` in Rucio, allowing any authenticated user to execute arbitrary SQL against the backend database via the DID search endpoint, potentially leading to full database compromise and data exfiltration.","title":"Rucio SQL Injection Vulnerability in DID Search API","url":"https://feed.craftedsignal.io/briefs/2026-05-rucio-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-29080","version":"https://jsonfeed.org/version/1.1"}