{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-61667/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["DIRAC"],"_cs_severities":["critical"],"_cs_tags":["remote-code-execution","sql-injection","python","web-application","vulnerability","cve-2026-61667"],"_cs_type":"advisory","_cs_vendors":["DIRACGrid"],"content_html":"\u003cp\u003eA critical remote code execution vulnerability, tracked as CVE-2026-61667, has been identified in DIRAC's FileCatalog DatasetManager. This vulnerability allows an authenticated user to execute arbitrary code on the server by combining an SQL injection flaw with the improper use of Python's \u003ccode\u003eeval\u003c/code\u003e function. Specifically, the \u003ccode\u003echeckDataset\u003c/code\u003e function in \u003ccode\u003eFileCatalogHandler.py\u003c/code\u003e passes user-controlled input directly into an SQL query without proper escaping, leading to injection. The malicious SQL injection can manipulate the database query's result, which is subsequently passed to \u003ccode\u003eeval\u003c/code\u003e in \u003ccode\u003eDatasetManager.py\u003c/code\u003e, granting an attacker full control over the system. This allows for reading sensitive configuration files, exfiltrating database passwords, and compromising stored proxies and tokens, with the potential to also erase exploit evidence from logs. Patched versions are available for DIRAC 8.0.79, 9.0.22, and 9.1.10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker initiates a request to the DIRAC system, targeting the \u003ccode\u003eFileCatalog.checkDataset\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003edatasets\u003c/code\u003e argument containing an SQL injection payload and sends it to the backend database handler.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e__checkDataset\u003c/code\u003e function in \u003ccode\u003eDatasetManager.py\u003c/code\u003e constructs an SQL query using an f-string with the unescaped, user-controlled \u003ccode\u003edatasets\u003c/code\u003e argument, creating an SQL injection vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected SQL payload is designed to manipulate the query's result set, inserting arbitrary Python code that the attacker wishes to execute.\u003c/li\u003e\n\u003cli\u003eThe database executes the modified query and returns the manipulated result, which now contains the attacker's arbitrary Python code.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eDatasetManager.py\u003c/code\u003e module immediately passes this returned, attacker-controlled result to Python's \u003ccode\u003eeval\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eeval\u003c/code\u003e function executes the attacker's arbitrary Python code with the privileges of the DIRAC application.\u003c/li\u003e\n\u003cli\u003eRemote code execution is achieved, allowing the attacker to perform actions such as reading \u003ccode\u003edirac.cfg\u003c/code\u003e, exfiltrating database credentials, and deleting log evidence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61667 grants any authenticated user the ability to execute arbitrary commands on the DIRAC server, leading to a complete compromise of the system. Attackers can read sensitive configuration files like \u003ccode\u003edirac.cfg\u003c/code\u003e, extract database passwords, and exfiltrate all stored proxies and tokens, thereby gaining extensive access to the environment. Furthermore, if local logging is employed, the attacker can leverage this RCE to remove evidence of their activities, hindering incident response and forensic investigations. The vulnerability affects multiple versions of DIRAC, specifically versions from 6 up to 8.0.79, 8.1.0a1 up to 9.0.22, and 9.1.0 up to 9.1.10.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update all affected DIRAC installations to a patched version (8.0.79, 9.0.22, or 9.1.10) as listed in the advisory to remediate CVE-2026-61667.\u003c/li\u003e\n\u003cli\u003eEnsure proper input validation and parameterized queries are implemented for all database interactions within applications to prevent similar SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eImplement robust logging and monitoring for critical application functions and ensure logs are forwarded to a secure, immutable log management system to prevent tampering, as attackers can remove evidence if local logging is used.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T18:41:36Z","date_published":"2026-07-13T18:41:36Z","id":"https://feed.craftedsignal.io/briefs/2026-07-dirac-rce/","summary":"An authenticated user can achieve remote code execution in DIRAC's FileCatalog DatasetManager due to an SQL injection vulnerability (CVE-2026-61667) that allows manipulation of query results passed to an `eval` function, leading to full system compromise.","title":"DIRAC Vulnerable to Remote Code Execution via SQL Injection and Eval in DatasetManager","url":"https://feed.craftedsignal.io/briefs/2026-07-dirac-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-61667","version":"https://jsonfeed.org/version/1.1"}