CVE-2026-32611
SQL Injection in Glances DuckDB Export Module Allows Injection
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicolargo | glances | to 4.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32611 is a high-severity SQL injection vulnerability in the DuckDB export module of the Glances monitoring tool. The vulnerability arises because table names and column names derived from monitoring statistics are directly inserted into SQL Data Definition Language (DDL) statements using unparameterized f-string interpolation without proper escaping or quoting. While the values inserted use parameterized queries, the identifiers (table and column names) do not, allowing maliciously crafted names containing SQL metacharacters to inject arbitrary SQL commands.'}, {'type': 'paragraph', 'content': 'This vulnerability is similar to a previously fixed issue in the TimescaleDB export module but was not addressed in the DuckDB export code until version 4.5.3. The problem occurs because identifiers are not safely quoted, enabling attackers to manipulate the SQL commands executed by the database.'}, {'type': 'paragraph', 'content': "The fix involves introducing a helper function that safely quotes SQL identifiers by wrapping them in double quotes and escaping any embedded double quotes, following DuckDB's standard escaping rules. This quoting is applied to all dynamically generated table and column names, preventing injection attacks."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary SQL commands on the DuckDB database used by Glances. By injecting malicious table or column names containing SQL metacharacters, an attacker could corrupt the database, create unauthorized tables, alter the database schema, or potentially access unauthorized data.
Since the vulnerability affects the construction of SQL DDL statements, it could lead to data integrity issues, unauthorized data manipulation, or denial of service through database corruption.
The attack complexity is high and requires network access but no privileges or user interaction, making it a significant risk if exploited.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves SQL injection risks in the DuckDB export module of Glances, specifically through unquoted table and column names in SQL DDL statements. Detection involves inspecting the SQL statements generated by Glances for unquoted identifiers or signs of injection attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unescaped table and column names in SQL queries, you can detect potential exploitation by monitoring for unusual or malformed SQL commands targeting the DuckDB database used by Glances.'}, {'type': 'paragraph', 'content': 'Suggested commands include reviewing logs or running queries against the DuckDB database to identify suspicious table or column names containing SQL metacharacters or injection patterns.'}, {'type': 'list_item', 'content': 'Check the DuckDB database schema for unexpected tables or columns with suspicious names, e.g., using DuckDB CLI or SQL queries.'}, {'type': 'list_item', 'content': 'Use commands like `SELECT * FROM information_schema.tables;` or `SELECT * FROM information_schema.columns WHERE table_name LIKE \'%"%\';` to find identifiers with quotes or unusual characters.'}, {'type': 'list_item', 'content': 'Monitor Glances logs or debug output for SQL errors or warnings related to malformed queries.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Glances to version 4.5.3 or later, where the vulnerability is fixed by properly quoting all SQL identifiers in the DuckDB export module.
The fix involves using a helper function that safely quotes table and column names by escaping embedded double quotes and wrapping identifiers in double quotes, preventing SQL injection.
Until you can upgrade, avoid using or enabling the DuckDB export feature in Glances, especially if your environment includes plugins or data sources that might introduce user-controlled or external data into table or column names.
- Upgrade Glances to version 4.5.3 or later.
- Disable or avoid using the DuckDB export module if upgrading is not immediately possible.
- Review and sanitize any custom plugins or data sources that might influence table or column names.
- Monitor and audit database schemas and logs for signs of exploitation.