DIRAC RequestManager, Remote Code Execution (RCE), CVE-2026-45579 (Critical) -DC-Jul2026-936

Listen to this Post

How CVE-2026-45579 Works

The vulnerability exists in DIRAC’s RequestManager component due to unsafe use of Python’s `eval()` function on user-supplied input. The `export_getRequestCountersWeb` function within `ReqManagerHandler.py` is callable by any authenticated user without additional authorization checks. This function passes user-controlled parameters directly to the `getCounters` method in the `RequestDB` class.
Inside `RequestDB.py` (lines 766-776), the `groupingAttribute` parameter is processed. If the provided string is not recognized as a valid attribute, the code prepends `Request.` to it and passes the resulting string directly into an `eval()` call. This allows an attacker to inject arbitrary Python code by supplying a carefully crafted “dunder” (double underscore) string that traverses the `Request` object’s methods to reach the `os` module.
For example, by passing a `groupingAttribute` value such as __class__.__base__.__subclasses__()..., an attacker can navigate the Python object hierarchy, eventually accessing functions like `os.system()` or `os.popen()` to execute arbitrary operating system commands on the DIRAC server. The server executes these commands with the privileges of the system user running the DIRAC services.
The impact is severe: authenticated attackers can read sensitive configuration files (e.g., dirac.cfg), obtain database credentials, export all stored proxies and tokens, and—if local logging is used—remove evidence of the exploit from log files. The advisory also notes that other `eval()` uses in `ReqManager/RequestDB` may be equally exploitable.

DailyCVE Form:

Platform: ……. DIRAC
Version: …….. >=6,<8.0.79/>=8.1.0a1,<9.0.22/>=9.1.0,<9.1.10
Vulnerability :…… Remote Code Execution (RCE) via eval()
Severity: ……. Critical
date: ………. 2026-07-13

Prediction: …… 2026-07-20 (within ~1 week)

What Undercode Say:

Check current DIRAC version
pip show DIRAC | grep Version
Verify if vulnerable (example for v9.1.0)
python3 -c "import DIRAC; print(DIRAC.<strong>version</strong>)"
List all installed DIRAC packages
pip list | grep -i dirac

The vulnerability resides in `src/DIRAC/RequestManagementSystem/Service/ReqManagerHandler.py` at line 270 and `src/DIRAC/RequestManagementSystem/DB/RequestDB.py` at lines 766-776. The `export_getRequestCountersWeb` endpoint is the primary attack vector.

Exploit:

An authenticated attacker can exploit this by sending a crafted request to the vulnerable endpoint. Example payload structure:

Crafted groupingAttribute to escape and execute system commands
groupingAttribute = "<strong>class</strong>.<strong>base</strong>.<strong>subclasses</strong>()[...].os.system('id > /tmp/pwned')"

The server evaluates `Request.` + groupingAttribute, executing the injected code. The attacker can chain Python object introspection to reach the `os` module and run arbitrary shell commands.

Protection:

  • Immediate: Upgrade to patched versions: 8.0.79, 9.0.22, or 9.1.10.
  • Interim Mitigation: Restrict access to `RequestManager/ReqManagerHandler` methods, limiting which authenticated users/groups can call export_getRequestCountersWeb-related functionality.
  • Long-term: Implement input validation/sanitization for all parameters passed to eval(). Replace `eval()` with safer alternatives like `ast.literal_eval()` or proper attribute lookup via getattr().

Impact:

  • Full System Compromise: Attackers gain the ability to execute arbitrary commands as the DIRAC service user.
  • Credential Theft: Reading `dirac.cfg` exposes database passwords and other sensitive configuration.
  • Data Exfiltration: All stored proxies and tokens can be exported, potentially compromising the entire distributed infrastructure.
  • Log Tampering: Attackers can remove evidence of the exploit from local logs.
  • Lateral Movement: Compromised credentials can be used to access other systems within the DIRAC ecosystem.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top