CVE-2026-29090— Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-29090
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rucio SQL injection in postgres_meta DID search path compromises PostgreSQL metadata database
Source: NVD (National Vulnerability Database)
Vulnerability Description
### Summary A SQL injection vulnerability exists in Rucio versions 1.30.0 and later before 35.8.5, 38.5.5, 39.4.2, and 40.1.1, in `FilterEngine.create_postgres_query()`. This allows any authenticated Rucio user to execute arbitrary SQL against the PostgreSQL metadata database through the DID search endpoint (`GET /dids/<scope>/dids/search`). When the `postgres_meta` metadata plugin is configured, attacker-controlled filter keys and values are interpolated directly into raw SQL strings via Python `.format()`, then passed to `psycopg3`'s `sql.SQL()` which treats the string as trusted SQL syntax. Depending on the database privileges assigned to the service account, exploitation can expose sensitive tables, modify or delete metadata, access server-side files, or achieve code execution through PostgreSQL features such as COPY ... FROM PROGRAM. This issue affects deployments that explicitly use the postgres_meta metadata plugin. This vulnerability has been fixed in versions 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-29090
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-29090
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: rucio
- CVE-2026-29080
Rucio SQL Injection in FilterEngine Oracle JSON Path via DID - CVE-2026-25736
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerab - CVE-2026-25735
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerab - CVE-2026-25734
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Met - CVE-2026-25733
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS)
Same vendor: rucio
- CVE-2026-29080
Rucio SQL Injection in FilterEngine Oracle JSON Path via DID - CVE-2026-25736
Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerab - CVE-2026-25735
Rucio WebUI has a Stored Cross-site Scripting (XSS) vulnerab - CVE-2026-25734
Rucio WebUI has Stored Cross-site Scripting (XSS) in RSE Met - CVE-2026-25733
Rucio WebUI Vulnerable to Stored Cross-site Scripting (XSS)
Same weakness: CWE-89
- CVE-2026-42287
Emlog: SQL Injection Vulnerability in log_model.php within a - CVE-2026-41889
pgx: SQL Injection via placeholder confusion with dollar quo - CVE-2026-41496
PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 - CVE-2026-42208
LiteLLM: SQL injection in Proxy API key verification - CVE-2026-8133
zyx0814 FilePress Shares Filelist API admin.php sql injectio
V. Comments for CVE-2026-29090
No comments yet