Executive Summary

CVE-2026-30930 is an SQL Injection vulnerability in the TimescaleDB export module of the Glances monitoring tool prior to version 4.5.1.

The vulnerability arises because the module constructs SQL queries by concatenating strings containing unsanitized system monitoring data such as process names, filesystem mount points, network interface names, or container names.

Specifically, the normalize() method wraps string values in single quotes but does not escape embedded single quotes, allowing attacker-controlled input to break out of the string context and inject arbitrary SQL commands.

This makes it trivial for an attacker to perform SQL injection by crafting malicious process or plugin names.

The vulnerability was fixed in version 4.5.1 by refactoring the code to use parameterized queries and safe SQL composition methods, preventing injection attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including:

• Data destruction through execution of SQL commands like DROP TABLE, DELETE, or TRUNCATE.
• Data exfiltration by using SQL commands such as COPY ... TO or subqueries to extract sensitive information.
• Potential remote code execution by leveraging PostgreSQL extensions like COPY ... PROGRAM that allow execution of OS commands.
• Privilege escalation since any local user able to create a process with a crafted name can compromise the entire PostgreSQL instance.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Glances installation is using a vulnerable version prior to 4.5.1 and if the TimescaleDB export module is enabled.'}, {'type': 'paragraph', 'content': 'One practical detection method is to look for processes or system entities (such as process names, filesystem mount points, network interface names, or container names) containing suspicious or crafted single quotes or SQL injection payloads.'}, {'type': 'paragraph', 'content': 'A proof of concept involves creating a process with a crafted name containing SQL injection payloads, for example:'}, {'type': 'list_item', 'content': 'exec -a "x\'); COPY (SELECT version()) TO \'/tmp/sqli_proof.txt\' --" python3 -c \'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]\''}, {'type': 'paragraph', 'content': 'If the vulnerability is present, running Glances with TimescaleDB export enabled will cause the injected SQL to execute, such as creating a file with database version information.'}, {'type': 'paragraph', 'content': 'To check your Glances version, you can run:'}, {'type': 'list_item', 'content': 'glances --version'}, {'type': 'paragraph', 'content': 'To detect if TimescaleDB export is enabled and potentially vulnerable, review your Glances configuration files for export settings related to TimescaleDB.'}] [3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation step is to upgrade Glances to version 4.5.1 or later, where this vulnerability has been fixed.

The fix involves refactoring the TimescaleDB export module to use parameterized queries and safe SQL composition methods, preventing SQL injection via unsanitized input.

If upgrading immediately is not possible, consider disabling the TimescaleDB export feature in Glances to prevent exploitation.

Additionally, monitor and restrict the ability of untrusted users to create processes or system entities with arbitrary names that could be used to inject SQL.

Review and apply any relevant security advisories and patches from the official Glances repository.

Useful 0 Not Useful 0