CVE-2026-29090

Rucio contains a SQL injection in FilterEngine.create_postgres_query() when the postgres_meta metadata plugin is configured. Attacker-controlled filter keys/values are interpolated into raw SQL via Python .format() and passed to psycopg3.sql.SQL(), enabling arbitrary SQL against the PostgreSQL me...

CVE-2026-29080

A SQL injection vulnerability in FilterEngine.createsqlaquery allows any authenticated Rucio user to execute arbitrary SQL against the backend database through the DID search endpoint GET /dids//dids/search. On Oracle deployments attacker-controlled filter keys and values are interpolated directl...

Rucio SQL注入漏洞

Rucio is an open-source scientific data management tool developed by Rucio team. Rucio has a SQL injection vulnerability, which stems from the SQL injection in the FilterEngine.createpostgresquery method. This vulnerability allows any authenticated Rucio user to execute arbitrary SQL queries...

Rucio 安全漏洞

Rucio is an open-source scientific data management tool developed by Rucio team. Versions of Rucio prior to 35.8.3, 38.5.4, and 39.3.1 contained security vulnerabilities. These vulnerabilities were caused by reflective cross-site scripting in the rendering of the ExceptionMessage on the WebUI 500...

CVE-2025-54064

CVE-2025-54064 affects Rucio helm charts for rucio-server, rucio-ui, and rucio-webui. The Apache access-log format includes the X-Rucio-Auth-Token header (which may contain Internal Rucio tokens or JWTs), potentially exposing credentials in log lines. Affected versions and patches: rucio-server 3...