CVE-2026-29090 is a critical SQL injection issue in Rucio's `FilterEngine.create_postgres_query()` path. When the `postgres_meta` metadata plugin is enabled, authenticated users can supply attacker-controlled filter keys and values through the DID search endpoint and have them interpolated into raw PostgreSQL SQL. The result can include exposure, modification, or deletion of metadata, and in some environm [truncated]
CVE-2026-29080 is a critical SQL injection in Rucio’s DID search path that affects Oracle-backed deployments. An authenticated user can reach the vulnerable query builder through GET /dids/<scope>/dids/search, where attacker-controlled filter keys and values are interpolated into raw SQL instead of being safely parameterized. The published impact is broad: arbitrary SQL execution against the backend datab [truncated]
