Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for CVE-2026-45579.

Upgrade to Pro
CVE-2026-45579

DIRAC RequestManager eval() Remote Code Execution (CVE-2026-45579)

Detects exploitation attempts and successful compromise of DIRAC's RequestManager component via CVE-2026-45579, a CWE-95 (Eval Injection) vulnerability where untrusted RPC input passed to RequestManager is evaluated via Python's eval() function, resulting in unauthenticated or low-privilege remote code execution. Affected DIRAC (pip package) versions are >=6,<8.0.79, >=8.1.0a1,<9.0.22, and >=9.1.0,<9.1.10. A public PoC exists (GHSA-9jpv-c7p4-997x). Detection focuses on anomalous eval-triggering payloads sent to DIRAC RequestManager RPC/DISET endpoints, resulting child process spawns from DIRAC service processes, and post-exploitation artifacts consistent with grid/HPC computing infrastructure compromise.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
DIRAC
Versions
>= 6, < 8.0.79, >= 8.1.0a1, < 9.0.22, >= 9.1.0, < 9.1.10

Weakness (CWE)

Timeline

Disclosed
July 13, 2026

CVSS

9.9
Critical (9.0–10)

CVSS vector not yet published

Write-up coming soon

What is CVE-2026-45579 DIRAC RequestManager eval() Remote Code Execution (CVE-2026-45579)?

DIRAC RequestManager eval() Remote Code Execution (CVE-2026-45579) (CVE-2026-45579) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for DIRAC RequestManager eval() Remote Code Execution (CVE-2026-45579), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Sysmon Process Creation. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement
Microsoft Sentinel / Defender
kusto
let DiracServiceProcs = dynamic(["RequestManager", "RequestManagerHandler", "dirac-request-manager"]);
DeviceProcessEvents
| where InitiatingProcessCommandLine has_any ("RequestManager", "dirac-service") or InitiatingProcessFileName has_any ("python", "python3")
| where FileName in~ ("sh", "bash", "cmd.exe", "powershell.exe", "wget", "curl", "nc", "python", "python3", "id", "whoami")
| where InitiatingProcessCommandLine has_any ("eval(", "__import__", "os.system", "subprocess", "socket.socket", "/bin/sh", "base64")
| project TimeGenerated, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| order by TimeGenerated desc

Detects process creation events spawned from DIRAC RequestManager/service processes where the initiating command line contains Python eval-injection indicators (eval(, __import__, os.system, subprocess, base64) consistent with CVE-2026-45579 exploitation, followed by suspicious child processes such as shells, interpreters, or network tools.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Sysmon Process Creation

Required Tables

DeviceProcessEvents

False Positives

  • Legitimate DIRAC administrators running diagnostic scripts that legitimately call eval() in maintenance tooling
  • Automated DIRAC test/CI pipelines exercising RequestManager with benign serialized payloads
  • Third-party monitoring agents instrumenting Python processes with similar command-line patterns

Sigma rule & cross-platform mapping

The detection logic for DIRAC RequestManager eval() Remote Code Execution (CVE-2026-45579) (CVE-2026-45579) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate DIRAC RequestManager eval() RCE via crafted RPC payload

    Expected signal: Process creation event showing python3 (DIRAC RequestManager service) spawning /bin/sh -c "id > /tmp/dirac_poc_out" or equivalent child process with eval-injection command-line markers

  2. Test 2Simulate reverse shell spawned from DIRAC service process

    Expected signal: Bash process with /dev/tcp redirection spawned by a process whose parent command line references RequestManager/dirac-service, plus an outbound TCP connection on port 4444

  3. Test 3Simulate malicious eval() injection payload execution on Windows lab host

    Expected signal: DeviceProcessEvents entry showing python.exe spawning cmd.exe/whoami with a parent command line simulation referencing RequestManager, writing output to a temp file

Unlock playbooks & atomic tests with Pro

Get the full detection package for CVE-2026-45579 — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections