CVE-2026-29090: Rucio has SQL Injection in FilterEngine PostgreSQL Query Builder via DID Search API

May 6, 2026 (updated May 8, 2026)

A SQL injection vulnerability in FilterEngine.create_postgres_query allows any authenticated Rucio user to execute arbitrary SQL against the configured PostgreSQL metadata database through the DID search endpoint (GET /dids/<scope>/dids/search). When the external metadata plugin postgres_meta is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL statements via Python str.format. This enables full database compromise including data exfiltration, data modification, and potential remote code execution via COPY ... FROM PROGRAM.

References

github.com/advisories/GHSA-6j7p-qjhg-9947
github.com/rucio/rucio
github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947
nvd.nist.gov/vuln/detail/CVE-2026-29090

Code Behaviors & Features

Detect and mitigate CVE-2026-29090 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →