Date: 2026-05-07 Updated:
CRITICAL risk SQL injection vulnerabilities in Rucio, which affect metadata configurations.
EGI SVG ID : EGI-SVG-2026-13
CVE ID : CVE-2026-29080, CVE-2026-29090
CVSS Score : 9.4/9.0 [R 3] [R 4]
These vulnerabilities affect:
NOT affected: PostgreSQL/MySQL deployments using the default json_meta plugin
Fixed versions:
35 LTS -> 35.8.5 38 LTS -> 38.5.5 39 -> 39.4.2 40 -> 40.1.1
Sites running Rucio are required to urgently update, using information in references below.
All running resources MUST be either patched or have mitigation in place or software removed by 2026-05-15 00:00 UTC
Sites failing to act or to respond to requests from the EGI CSIRT team risk site suspension.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2026-13
https://advisories.egi.eu/Advisory-SVG-CVE-2026-29080
https://advisories.egi.eu/Advisory-SVG-CVE-2026-29090
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----------------------------
Comments or questions should be sent to
svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at
report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 5] https://github.com/rucio/rucio/security/advisories/GHSA-vjr5-c9qv-hgm3
[R 6] https://github.com/rucio/rucio/security/advisories/GHSA-6j7p-qjhg-9947
[R 99] https://confluence.egi.eu/display/EGIBG/SVG+Advisories
SVG was alerted to this vulnerability by Dr. Martin Barisits