Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
Published: 2026-04-20
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Redirection to Attacker-Controlled Cassandra
Action: Apply Patch
AI Analysis

Impact

Glances, an open‑source system monitoring tool, interpolated its "keyspace", "table", and "replication_factor" configuration values directly into CQL statements without validation. The result was a classic CQL injection vulnerability, where a user with write access to the configuration file could insert arbitrary CQL parameters and redirect all monitoring output to a Cassandra keyspace of the attacker’s choosing. This bypasses the intended namespace isolation, potentially exposing sensitive system metrics, allowing an attacker to inject or corrupt monitoring data, and could serve as an avenue for data exfiltration or misuse of resources. The weakness maps to CWE‑89 (SQL Injection) in the context of Cassandra’s CQL.

Affected Systems

The flaw exists in all Glances releases prior to version 4.5.4, distributed under the nicolargo:glances vendor designation. Any deployment that uses a configuration file with write permissions granted to local users is vulnerable.

Risk and Exploitability

With a CVSS score of 6.3, the vulnerability is considered medium severity. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog. The attack requires write access to glances.conf, which is typically limited to the privileged user running Glances or a user who can modify configuration files. Whether the configuration file is exposed to remote users depends on the deployment; however, the primary attack vector is local intrusion. Once the attacker writes malicious configuration values, Glances will send monitoring data to the attacker’s Cassandra instance, achieving the goals outlined above.

Generated by OpenCVE AI on April 21, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.4 or newer, which sanitizes keyspace, table, and replication_factor values before embedding them in CQL statements.
  • If an upgrade is not immediately possible, ensure that only trusted system administrators have write permissions to glances.conf, and consider setting file permissions to read‑only for untrusted users.
  • If you cannot enforce strict file permissions, monitor glances.conf for unauthorized changes and restore it to a known good state as a temporary protection measure.

Generated by OpenCVE AI on April 21, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-grp3-h8m8-45p7 Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
History

Wed, 22 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Mon, 20 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly into CQL statements without validation. A user with write access to `glances.conf` can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
Title Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:35:04.526Z

Reserved: 2026-04-03T20:09:02.828Z

Link: CVE-2026-35588

cve-icon Vulnrichment

Updated: 2026-04-21T13:34:55.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T00:16:29.163

Modified: 2026-04-22T18:40:39.270

Link: CVE-2026-35588

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:37:55Z

Weaknesses