Listen to this Post
How CVE-2026-61667 Works
This vulnerability resides in DIRAC’s FileCatalog DatasetManager component and is triggered through a chain of insecure data handling.
The attack begins when an authenticated user supplies a malicious `datasets` argument to the `checkDataset` function in the `FileCatalogHandler` service. This argument is passed directly to the backend database handler without any sanitization. Inside the `__checkDataset` function of DatasetManager.py, an f-string is used to construct the SQL query, embedding the user-supplied input directly into the query string. This lack of parameterization or escaping creates a classic SQL injection vulnerability.
The critical escalation occurs because the result of this SQL query—now partially controlled by the attacker via the injection—is passed to Python’s `eval()` function almost immediately after the database returns it. The `eval()` call executes whatever Python expression is present in the query result. By crafting a SQL injection payload that alters the returned data to contain malicious Python code, an attacker can achieve full remote code execution on the server.
The advisory notes that other functions in the same `DatasetManager.py` file follow similar unsafe patterns, making them likely exploitable in the same manner. The vulnerability affects all DIRAC versions from 6.0.0 up to, but not including, the patched releases.
DailyCVE Form
Platform: ……. DIRACGrid/DIRAC
Version: …….. 6.0.0–8.0.78, 8.1.0a1–9.0.21, 9.1.0–9.1.9
Vulnerability :…… SQL Injection leading to RCE via eval()
Severity: ……. Critical
date: ………. July 13, 2026
Prediction: …… July 13, 2026 (Patches Released)
What Undercode Say: Analytics & Technical Indicators
The vulnerability is rooted in two dangerous coding practices: unsanitized user input in SQL queries and the use of `eval()` on untrusted data. The following indicators can be used to detect vulnerable code patterns or assess exposure:
Check DIRAC version to determine if vulnerable
dirac-version
Alternatively, check the installed package version via pip
pip show DIRAC | grep Version
Search for the vulnerable f-string pattern in the codebase
grep -r "f\"SELECT.{.}.FROM" src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/
Check for eval usage on database results in the same module
grep -A 5 -B 5 "eval(" src/DIRAC/DataManagementSystem/DB/FileCatalogComponents/DatasetManager/DatasetManager.py
Exploit
An authenticated attacker can exploit this vulnerability by injecting SQL that alters the query result to contain malicious Python code. The injected code is then executed by `eval()` upon return. A proof-of-concept exploit flow would involve:
1. Authenticating to the DIRAC service.
- Calling the `checkDataset` function with a specially crafted `datasets` parameter.
- The parameter causes the SQL query to return a value like
"__import__('os').system('id')". - This string is passed to `eval()` and executed on the server.
Conceptual exploit snippet (not functional without a valid DIRAC context) The 'datasets' argument is the injection point malicious_datasets = "'; SELECT '<strong>import</strong>(\"os\").system(\"whoami\")' -- " This would cause the query to return the malicious string, which is then passed to eval().
Protection
- Immediate: Upgrade DIRAC to one of the patched versions:
8.0.79,9.0.22, or9.1.10. - Long-term: Apply secure coding practices:
- Use parameterized queries or ORMs instead of f-string concatenation for SQL.
- Never use `eval()` on data that originates from user input or database results.
- Implement strict input validation and output encoding.
- Workaround: If patching is not immediately possible, restrict and monitor access to the FileCatalog service, as exploitation requires authenticated access.
Impact
Full System Compromise: Any authenticated user can execute arbitrary commands on the DIRAC server with the privileges of the service user.
Data Breach: Attackers can read the local `dirac.cfg` configuration file, which contains database passwords and other sensitive credentials.
Credential Theft: All stored proxies and tokens managed by the DIRAC system can be exported, allowing attackers to impersonate other users and access external resources.
Log Tampering: If local logging is used, the attacker can remove evidence of the exploit from the log files.
Lateral Movement: With the obtained credentials and tokens, attackers can pivot to other systems and services integrated with DIRAC.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

