Listen to this Post
How CVE-2026-45579 Works
The vulnerability exists in DIRAC’s RequestManager component due to unsafe use of Python’s `eval()` function on user-supplied input. The `export_getRequestCountersWeb` function within `ReqManagerHandler.py` is callable by any authenticated user without additional authorization checks. This function passes user-controlled parameters directly to the `getCounters` method in the `RequestDB` class.
Inside `RequestDB.py` (lines 766-776), the `groupingAttribute` parameter is processed. If the provided string is not recognized as a valid attribute, the code prepends `Request.` to it and passes the resulting string directly into an `eval()` call. This allows an attacker to inject arbitrary Python code by supplying a carefully crafted “dunder” (double underscore) string that traverses the `Request` object’s methods to reach the `os` module.
For example, by passing a `groupingAttribute` value such as __class__.__base__.__subclasses__()..., an attacker can navigate the Python object hierarchy, eventually accessing functions like `os.system()` or `os.popen()` to execute arbitrary operating system commands on the DIRAC server. The server executes these commands with the privileges of the system user running the DIRAC services.
The impact is severe: authenticated attackers can read sensitive configuration files (e.g., dirac.cfg), obtain database credentials, export all stored proxies and tokens, and—if local logging is used—remove evidence of the exploit from log files. The advisory also notes that other `eval()` uses in `ReqManager/RequestDB` may be equally exploitable.
DailyCVE Form:
Platform: ……. DIRAC
Version: …….. >=6,<8.0.79/>=8.1.0a1,<9.0.22/>=9.1.0,<9.1.10
Vulnerability :…… Remote Code Execution (RCE) via eval()
Severity: ……. Critical
date: ………. 2026-07-13
Prediction: …… 2026-07-20 (within ~1 week)
What Undercode Say:
Check current DIRAC version pip show DIRAC | grep Version Verify if vulnerable (example for v9.1.0) python3 -c "import DIRAC; print(DIRAC.<strong>version</strong>)" List all installed DIRAC packages pip list | grep -i dirac
The vulnerability resides in `src/DIRAC/RequestManagementSystem/Service/ReqManagerHandler.py` at line 270 and `src/DIRAC/RequestManagementSystem/DB/RequestDB.py` at lines 766-776. The `export_getRequestCountersWeb` endpoint is the primary attack vector.
Exploit:
An authenticated attacker can exploit this by sending a crafted request to the vulnerable endpoint. Example payload structure:
Crafted groupingAttribute to escape and execute system commands
groupingAttribute = "<strong>class</strong>.<strong>base</strong>.<strong>subclasses</strong>()[...].os.system('id > /tmp/pwned')"
The server evaluates `Request.` + groupingAttribute, executing the injected code. The attacker can chain Python object introspection to reach the `os` module and run arbitrary shell commands.
Protection:
- Immediate: Upgrade to patched versions: 8.0.79, 9.0.22, or 9.1.10.
- Interim Mitigation: Restrict access to `RequestManager/ReqManagerHandler` methods, limiting which authenticated users/groups can call
export_getRequestCountersWeb-related functionality. - Long-term: Implement input validation/sanitization for all parameters passed to
eval(). Replace `eval()` with safer alternatives like `ast.literal_eval()` or proper attribute lookup viagetattr().
Impact:
- Full System Compromise: Attackers gain the ability to execute arbitrary commands as the DIRAC service user.
- Credential Theft: Reading `dirac.cfg` exposes database passwords and other sensitive configuration.
- Data Exfiltration: All stored proxies and tokens can be exported, potentially compromising the entire distributed infrastructure.
- Log Tampering: Attackers can remove evidence of the exploit from local logs.
- Lateral Movement: Compromised credentials can be used to access other systems within the DIRAC ecosystem.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

