CVE-2026-25735
📋 TL;DR
This stored XSS vulnerability in Rucio's WebUI allows attackers to inject malicious JavaScript into the Identity Name field, which persists in the backend and executes when users view affected pages. This can lead to session token theft or unauthorized actions in the WebUI context. Users of Rucio versions prior to 35.8.3, 38.5.4, and 39.3.1 are affected.
💻 Affected Systems
- Rucio
📦 What is this software?
Rucio by Cern
Rucio by Cern
Rucio by Cern
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover via session token theft, leading to unauthorized data access, policy manipulation, or data deletion in the Rucio system.
Likely Case
Session hijacking allowing unauthorized access to the victim's Rucio WebUI, potentially enabling data viewing or limited unauthorized actions.
If Mitigated
No impact if proper output encoding is implemented or if the vulnerability is patched before exploitation.
🎯 Exploit Status
Exploitation requires the attacker to have access to create/modify identity names in Rucio, then wait for victims to view affected pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 35.8.3, 38.5.4, or 39.3.1 depending on your branch
Vendor Advisory: https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5
Restart Required: Yes
Instructions:
1. Identify your Rucio version branch (35.x, 38.x, or 39.x). 2. Upgrade to the corresponding patched version: 35.8.3, 38.5.4, or 39.3.1. 3. Restart all Rucio services including the WebUI.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize Identity Name fields before storage
# Requires code modification - implement proper HTML encoding for Identity Name fields
Content Security Policy
allImplement strict CSP headers to limit script execution
# Add to web server configuration: Content-Security-Policy: script-src 'self'
🧯 If You Can't Patch
- Restrict access to Rucio WebUI to trusted users only using network segmentation
- Implement WAF rules to detect and block XSS payloads in Identity Name fields
🔍 How to Verify
Check if Vulnerable:
Check Rucio version against affected versions: if running any version before 35.8.3, 38.5.4, or 39.3.1, you are vulnerable.Check Version:
rucio --versionVerify Fix Applied:
After patching, test by attempting to inject basic XSS payloads into Identity Name fields and verify they are properly encoded when displayed.📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript patterns in Identity Name fields
- Multiple failed login attempts from new locations
Network Indicators:
- Unexpected outbound connections from Rucio WebUI sessions
SIEM Query:
source="rucio_webui" AND (message="*<script>*" OR message="*javascript:*")🔗 References
- https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
- https://github.com/rucio/rucio/releases/tag/35.8.3
- https://github.com/rucio/rucio/releases/tag/38.5.4
- https://github.com/rucio/rucio/releases/tag/39.3.1
- https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5
- https://github.com/rucio/rucio/security/advisories/GHSA-8wpv-6x3f-3rm5
