PatchSiren cyber security CVE debrief
CVE-2026-29090 Cern CVE debrief
CVE-2026-29090 is a critical SQL injection issue in Rucio's `FilterEngine.create_postgres_query()` path. When the `postgres_meta` metadata plugin is enabled, authenticated users can supply attacker-controlled filter keys and values through the DID search endpoint and have them interpolated into raw PostgreSQL SQL. The result can include exposure, modification, or deletion of metadata, and in some environments broader database compromise. Fixed releases are available.
- Vendor
- Cern
- Product
- CVE-2026-29090
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-06
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-05-06
- Advisory updated
- 2026-05-11
Who should care
Rucio operators who use the `postgres_meta` metadata plugin, especially if authenticated users can reach the DID search endpoint (`GET /dids/<scope>/dids/search`). Database administrators should also review the PostgreSQL service account privileges because impact depends on what that account can do.
Technical summary
The issue is a SQL injection in `FilterEngine.create_postgres_query()` affecting Rucio versions 1.30.0 and later in the vulnerable ranges identified by NVD. The vulnerable flow occurs when `postgres_meta` is configured: attacker-controlled filter data is interpolated into a raw SQL string with Python `.format()`, then passed to `psycopg3` via `sql.SQL()` in a way that treats the string as trusted SQL syntax. NVD lists CWE-89 and marks the issue as network-reachable with low attack complexity and low privileges required.
Defensive priority
Critical. This is an authenticated, remotely reachable injection issue with potential impact to confidentiality, integrity, and availability of the PostgreSQL metadata store. Prioritize patching any deployment that uses `postgres_meta`.
Recommended defensive actions
- Upgrade to a fixed release: 35.8.5, 38.5.5, 39.4.2, or 40.1.1, depending on your release line.
- Confirm whether `postgres_meta` is enabled in any deployed Rucio environment; if not in use, verify it remains disabled.
- Review PostgreSQL privileges granted to the Rucio service account and reduce them to the minimum required.
- Restrict access to the DID search endpoint to trusted authenticated users while remediation is underway.
- Validate deployed version ranges against the affected versions listed by NVD before declaring the environment safe.
Evidence notes
This debrief is based on the official NVD record and the linked GitHub security advisory. The source describes the vulnerable function, the DID search endpoint, the `postgres_meta` dependency, the affected version ranges, and the fixed releases. Impact statements are limited to what is supported by the supplied corpus.
Official resources
-
CVE-2026-29090 CVE record
CVE.org
-
CVE-2026-29090 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the CVE record and NVD on 2026-05-06, with a vendor advisory referenced by NVD. The CVE was later modified on 2026-05-11.