PatchSiren cyber security CVE debrief
CVE-2026-29080 Cern CVE debrief
CVE-2026-29080 is a critical SQL injection in Rucio’s DID search path that affects Oracle-backed deployments. An authenticated user can reach the vulnerable query builder through GET /dids/<scope>/dids/search, where attacker-controlled filter keys and values are interpolated into raw SQL instead of being safely parameterized. The published impact is broad: arbitrary SQL execution against the backend database, with potential exposure or modification of managed data and sensitive records. Fixed releases are 35.8.5, 38.5.5, 39.4.2, and 40.1.1.
- Vendor
- Cern
- Product
- CVE-2026-29080
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-06
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-05-06
- Advisory updated
- 2026-05-11
Who should care
Rucio operators using Oracle databases, especially anyone exposing the DID search API to authenticated users. Security teams, application owners, and DBAs should prioritize this if their deployment falls into one of the affected version ranges.
Technical summary
The issue is in FilterEngine.create_sqla_query() within lib/rucio/core/did_meta_plugins/filter_engine.py. For Oracle deployments, JSON metadata filter expressions are assembled with sqlalchemy.text() and Python .format(), which bypasses parameterization. The vulnerable path accepts attacker-controlled filter keys and values from the DID search endpoint, allowing SQL fragments to be constructed directly from request input. NVD lists affected ranges as 1.27.0 before 35.8.5, 36.0.0 before 38.5.5, 39.0.0 before 39.4.2, and 40.0.0 before 40.1.1. The issue is described as Oracle-specific and does not affect PostgreSQL or MySQL deployments using the default json_meta plugin.
Defensive priority
Immediate. This is a network-reachable, authenticated SQL injection with critical impact on confidentiality, integrity, and availability for affected Oracle deployments.
Recommended defensive actions
- Upgrade to the first fixed release for your branch: 35.8.5, 38.5.5, 39.4.2, or 40.1.1.
- Confirm whether your Rucio deployment uses Oracle; the reported issue is Oracle-specific.
- Review access to the DID search endpoint and ensure only intended authenticated users can reach it.
- Check database audit and application logs for unusual DID search activity or unexpected SQL behavior.
- If there is any indication of abuse, assess database and credential exposure in line with your incident response process.
Evidence notes
The supplied NVD record marks the vulnerability as analyzed, assigns CWE-89, and lists the affected version ranges. The vendor advisory linked in the source corpus describes the Oracle-specific SQL injection in FilterEngine.create_sqla_query() and the fixed releases. CVE publication time is 2026-05-06T17:16:22.457Z and the record was modified on 2026-05-11T15:07:20.577Z.
Official resources
-
CVE-2026-29080 CVE record
CVE.org
-
CVE-2026-29080 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed on 2026-05-06 via the NVD record and the linked GitHub security advisory; the CVE record was updated on 2026-05-11.