DIRAC (FileCatalog DatasetManager) Remote Code Execution (RCE) via SQL Injection + eval — CVE-2026-61667 (Critical) -DC-Jul2026-956

Listen to this Post

How CVE-2026-61667 Works

This vulnerability resides in DIRAC’s FileCatalog DatasetManager component and is triggered through a chain of insecure data handling.
The attack begins when an authenticated user supplies a malicious `datasets` argument to the `checkDataset` function in the `FileCatalogHandler` service. This argument is passed directly to the backend database handler without any sanitization. Inside the `__checkDataset` function of DatasetManager.py, an f-string is used to construct the SQL query, embedding the user-supplied input directly into the query string. This lack of parameterization or escaping creates a classic SQL injection vulnerability.
The critical escalation occurs because the result of this SQL query—now partially controlled by the attacker via the injection—is passed to Python’s `eval()` function almost immediately after the database returns it. The `eval()` call executes whatever Python expression is present in the query result. By crafting a SQL injection payload that alters the returned data to contain malicious Python code, an attacker can achieve full remote code execution on the server.
The advisory notes that other functions in the same `DatasetManager.py` file follow similar unsafe patterns, making them likely exploitable in the same manner. The vulnerability affects all DIRAC versions from 6.0.0 up to, but not including, the patched releases.

DailyCVE Form

Platform: ……. DIRACGrid/DIRAC
Version: …….. 6.0.0–8.0.78, 8.1.0a1–9.0.21, 9.1.0–9.1.9
Vulnerability :…… SQL Injection leading to RCE via eval()
Severity: ……. Critical
date: ………. July 13, 2026

Prediction: …… July 13, 2026 (Patches Released)

What Undercode Say: Analytics & Technical Indicators

The vulnerability is rooted in two dangerous coding practices: unsanitized user input in SQL queries and the use of `eval()` on untrusted data. The following indicators can be used to detect vulnerable code patterns or assess exposure:

Check DIRAC version to determine if vulnerable
dirac-version
Alternatively, check the installed package version via pip
pip show DIRAC | grep Version
Search for the vulnerable f-string pattern in the codebase
grep -r "f\"SELECT.{.}.FROM" src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/
Check for eval usage on database results in the same module
grep -A 5 -B 5 "eval(" src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py

Exploit

An authenticated attacker can exploit this vulnerability by injecting SQL that alters the query result to contain malicious Python code. The injected code is then executed by `eval()` upon return. A proof-of-concept exploit flow would involve:

1. Authenticating to the DIRAC service.

  1. Calling the `checkDataset` function with a specially crafted `datasets` parameter.
  2. The parameter causes the SQL query to return a value like "__import__('os').system('id')".
  3. This string is passed to `eval()` and executed on the server.
    Conceptual exploit snippet (not functional without a valid DIRAC context)
    The 'datasets' argument is the injection point
    malicious_datasets = "'; SELECT '<strong>import</strong>(\"os\").system(\"whoami\")' -- "
    This would cause the query to return the malicious string,
    which is then passed to eval().
    

Protection

  • Immediate: Upgrade DIRAC to one of the patched versions: 8.0.79, 9.0.22, or 9.1.10.
  • Long-term: Apply secure coding practices:
  • Use parameterized queries or ORMs instead of f-string concatenation for SQL.
  • Never use `eval()` on data that originates from user input or database results.
  • Implement strict input validation and output encoding.
  • Workaround: If patching is not immediately possible, restrict and monitor access to the FileCatalog service, as exploitation requires authenticated access.

Impact

Full System Compromise: Any authenticated user can execute arbitrary commands on the DIRAC server with the privileges of the service user.
Data Breach: Attackers can read the local `dirac.cfg` configuration file, which contains database passwords and other sensitive credentials.
Credential Theft: All stored proxies and tokens managed by the DIRAC system can be exported, allowing attackers to impersonate other users and access external resources.
Log Tampering: If local logging is used, the attacker can remove evidence of the exploit from the log files.
Lateral Movement: With the obtained credentials and tokens, attackers can pivot to other systems and services integrated with DIRAC.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top