CVE-2026-61668: DIRAC PilotWrapper Disabled TLS Certificate Validation
DIRAC's pilot wrapper script intentionally skips TLS certificate verification when downloading the second-stage pilot code, letting a network attacker swap in malicious code that runs with grid proxy
The problem
The pilot wrapper in `WorkloadManagementSystem/Utilities/PilotWrapper.py` downloads `pilot.tar` and its reference checksum file over HTTPS, but explicitly passes an unverified SSL context to `urllib.urlopen`. This means no server identity check is performed.
A man-in-the-middle attacker who can intercept the connection (via DNS or routing manipulation at a grid site) can replace the downloaded archive with arbitrary code. That code then executes with the pilot's proxy credentials, potentially compromising the entire job context.
Proof of concept
A working proof-of-concept for CVE-2026-61668 in DIRAC, with the exact payload below.
# Vulnerable pattern in PilotWrapper.py (DIRAC < 8.0.79)
import ssl
from urllib.request import urlopen
# SSL validation is explicitly disabled to match old Python < 2.7.9 behaviour
if 'context' in urlopen.__code__.co_varnames:
context = ssl._create_unverified_context() # no cert check at all
rJson = urlopen('https://<pilotFileServer>/pilot/pilot.json', timeout=10, context=context)
rTar = urlopen('https://<pilotFileServer>/pilot/pilot.tar', timeout=10, context=context)
# Because the checksum reference is fetched over the same unverified channel,
# a MITM can serve a matching (attacker-chosen) checksum alongside the malicious tar.
# The integrity check passes and the malicious payload is executed.The root cause is CWE-295: Improper Certificate Validation. The code deliberately creates `ssl._create_unverified_context()`, which sets `CERT_NONE` and disables hostname checking, to preserve compatibility with Python versions older than 2.7.9. Because both `pilot.tar` and its checksum file are fetched through this same unvalidated context, the checksum check provides no real integrity guarantee against a MITM.
The fix removes the `_create_unverified_context()` path entirely, requiring a properly validating SSL context (system CA store and/or `$X509_CERT_DIR`) for all downloads. DIRAC 8.0 already dropped Python 2 support, so the old-Python workaround had no remaining justification.
The fix
Upgrade to DIRAC 8.0.79, 9.0.22, or 9.1.10. All three releases remove the `ssl._create_unverified_context()` call from `PilotWrapper.py` and require TLS connections to validate against the system certificate store or `$X509_CERT_DIR`.
Related research
- highClauster: Missing Authentication Bypass on Non-Loopback Dashboard
- high · 7.8CVE-2026-54071CVE-2026-54071: BabelDOC Arbitrary Code Execution via CMap Pickle Deserialization
- high · 7.7mcp-atlassian: Arbitrary Server-Side File Read via Attachment Upload Path Traversal
- criticalCVE-2026-54069CVE-2026-54069: SiYuan Unauthenticated Admin API Access via chrome-extension:// Origin Bypass