CVE-2026-21892 - Vulnerability Details

- Parsl Monitoring Visualization Vulnerable to SQL Injection

Description

Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.

Published: 2026-01-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The parsl-visualize component builds SQL statements with unsafe string formatting, concatenating user‑provided workflow identifiers directly into the query. This flaw falls under CWE‑89 and permits an attacker to inject arbitrary SQL, which can expose monitoring data or disrupt the database by causing corruption or denial of service.

Affected Systems

The vulnerability affects the Parsl library, specifically the parsl‑visualize dashboard, in all releases prior to 2026.01.05. Users relying on earlier versions should confirm their installation date and update if necessary.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity, and the EPSS score below 1 % indicates a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. An unauthenticated attacker who can access the monitoring dashboard can exploit the flaw, suggesting a network or web‐interface attack vector. No special prerequisites beyond access to the dashboard are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Parsl

parsl

affected

Version	Status	Constraints
`< 2026.01.05`	affected	—

Configuration 1 [-]

cpe:2.3:a:uchicago:parsl:*:*:*:*:*:python:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Parsl to version 2026.01.05 or later, which removes the unsafe string formatting.
If upgrading is not immediately possible, restrict dashboard access to trusted users or networks and monitor for anomalous database activity.
Implement input validation or switch to parameterized queries for workflow identifiers to prevent injection until a patch is applied.

Generated by OpenCVE AI on April 18, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DSA	DSA-6099-1	python-parsl security update
Github GHSA	GHSA-f2mf-q878-gh58	Parsl Monitoring Visualization Vulnerable to SQL Injection

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00071.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974
https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58

History

Tue, 20 Jan 2026 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Uchicago Uchicago parsl
CPEs		cpe:2.3:a:uchicago:parsl::::::python::*
Vendors & Products		Uchicago Uchicago parsl

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
Title		Parsl Monitoring Visualization Vulnerable to SQL Injection
Weaknesses		CWE-89
References		https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974 https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Uchicago Parsl

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-08T14:02:15.819Z

Updated: 2026-01-08T15:55:18.188Z

Reserved: 2026-01-05T17:24:36.929Z

Link: CVE-2026-21892

Vulnrichment

Updated: 2026-01-08T14:52:22.327Z

NVD

Status : Analyzed

Published: 2026-01-08T14:15:57.553

Modified: 2026-01-20T18:28:39.130

Link: CVE-2026-21892

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object