CVE-2026-32611
Received Received - Intake
SQL Injection in Glances DuckDB Export Module Allows Injection

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32611
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32611 is a high-severity SQL injection vulnerability in the DuckDB export module of the Glances monitoring tool. The vulnerability arises because table names and column names derived from monitoring statistics are directly inserted into SQL Data Definition Language (DDL) statements using unparameterized f-string interpolation without proper escaping or quoting. While the values inserted use parameterized queries, the identifiers (table and column names) do not, allowing maliciously crafted names containing SQL metacharacters to inject arbitrary SQL commands.'}, {'type': 'paragraph', 'content': 'This vulnerability is similar to a previously fixed issue in the TimescaleDB export module but was not addressed in the DuckDB export code until version 4.5.3. The problem occurs because identifiers are not safely quoted, enabling attackers to manipulate the SQL commands executed by the database.'}, {'type': 'paragraph', 'content': "The fix involves introducing a helper function that safely quotes SQL identifiers by wrapping them in double quotes and escaping any embedded double quotes, following DuckDB's standard escaping rules. This quoting is applied to all dynamically generated table and column names, preventing injection attacks."}] [1, 2]

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary SQL commands on the DuckDB database used by Glances. By injecting malicious table or column names containing SQL metacharacters, an attacker could corrupt the database, create unauthorized tables, alter the database schema, or potentially access unauthorized data.

Since the vulnerability affects the construction of SQL DDL statements, it could lead to data integrity issues, unauthorized data manipulation, or denial of service through database corruption.

The attack complexity is high and requires network access but no privileges or user interaction, making it a significant risk if exploited.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection risks in the DuckDB export module of Glances, specifically through unquoted table and column names in SQL DDL statements. Detection involves inspecting the SQL statements generated by Glances for unquoted identifiers or signs of injection attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unescaped table and column names in SQL queries, you can detect potential exploitation by monitoring for unusual or malformed SQL commands targeting the DuckDB database used by Glances.'}, {'type': 'paragraph', 'content': 'Suggested commands include reviewing logs or running queries against the DuckDB database to identify suspicious table or column names containing SQL metacharacters or injection patterns.'}, {'type': 'list_item', 'content': 'Check the DuckDB database schema for unexpected tables or columns with suspicious names, e.g., using DuckDB CLI or SQL queries.'}, {'type': 'list_item', 'content': 'Use commands like `SELECT * FROM information_schema.tables;` or `SELECT * FROM information_schema.columns WHERE table_name LIKE \'%"%\';` to find identifiers with quotes or unusual characters.'}, {'type': 'list_item', 'content': 'Monitor Glances logs or debug output for SQL errors or warnings related to malformed queries.'}] [1, 2]

Mitigation Strategies

The primary mitigation is to upgrade Glances to version 4.5.3 or later, where the vulnerability is fixed by properly quoting all SQL identifiers in the DuckDB export module.

The fix involves using a helper function that safely quotes table and column names by escaping embedded double quotes and wrapping identifiers in double quotes, preventing SQL injection.

Until you can upgrade, avoid using or enabling the DuckDB export feature in Glances, especially if your environment includes plugins or data sources that might introduce user-controlled or external data into table or column names.

  • Upgrade Glances to version 4.5.3 or later.
  • Disable or avoid using the DuckDB export module if upgrading is not immediately possible.
  • Review and sanitize any custom plugins or data sources that might influence table or column names.
  • Monitor and audit database schemas and logs for signs of exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32611. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart