Can you explain this vulnerability to me?

CVE-2026-30930 is an SQL Injection vulnerability in the TimescaleDB export module of the Glances monitoring tool prior to version 4.5.1.

The vulnerability arises because the module constructs SQL queries by concatenating strings containing unsanitized system monitoring data such as process names, filesystem mount points, network interface names, or container names.

Specifically, the normalize() method wraps string values in single quotes but does not escape embedded single quotes, allowing attacker-controlled input to break out of the string context and inject arbitrary SQL commands.

This makes it trivial for an attacker to perform SQL injection by crafting malicious process or plugin names.

The vulnerability was fixed in version 4.5.1 by refactoring the code to use parameterized queries and safe SQL composition methods, preventing injection attacks.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including:

• Data destruction through execution of SQL commands like DROP TABLE, DELETE, or TRUNCATE.
• Data exfiltration by using SQL commands such as COPY ... TO or subqueries to extract sensitive information.
• Potential remote code execution by leveraging PostgreSQL extensions like COPY ... PROGRAM that allow execution of OS commands.
• Privilege escalation since any local user able to create a process with a crafted name can compromise the entire PostgreSQL instance.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Glances installation is using a vulnerable version prior to 4.5.1 and if the TimescaleDB export module is enabled.'}, {'type': 'paragraph', 'content': 'One practical detection method is to look for processes or system entities (such as process names, filesystem mount points, network interface names, or container names) containing suspicious or crafted single quotes or SQL injection payloads.'}, {'type': 'paragraph', 'content': 'A proof of concept involves creating a process with a crafted name containing SQL injection payloads, for example:'}, {'type': 'list_item', 'content': 'exec -a "x\'); COPY (SELECT version()) TO \'/tmp/sqli_proof.txt\' --" python3 -c \'import time; [sum(range(500000)) or time.sleep(0.01) for _ in iter(int, 1)]\''}, {'type': 'paragraph', 'content': 'If the vulnerability is present, running Glances with TimescaleDB export enabled will cause the injected SQL to execute, such as creating a file with database version information.'}, {'type': 'paragraph', 'content': 'To check your Glances version, you can run:'}, {'type': 'list_item', 'content': 'glances --version'}, {'type': 'paragraph', 'content': 'To detect if TimescaleDB export is enabled and potentially vulnerable, review your Glances configuration files for export settings related to TimescaleDB.'}] [3]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and recommended mitigation step is to upgrade Glances to version 4.5.1 or later, where this vulnerability has been fixed.

The fix involves refactoring the TimescaleDB export module to use parameterized queries and safe SQL composition methods, preventing SQL injection via unsanitized input.

If upgrading immediately is not possible, consider disabling the TimescaleDB export feature in Glances to prevent exploitation.

Additionally, monitor and restrict the ability of untrusted users to create processes or system entities with arbitrary names that could be used to inject SQL.

Review and apply any relevant security advisories and patches from the official Glances repository.

Useful 0 Not Useful 0