CVE-2026-35588
CQL Injection in Glances Cassandra Exporter Allows Data Redirection
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicolargo | glances | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from unsafe configuration values in the glances.conf file related to Cassandra export settings. Detection involves checking the configuration file for suspicious or malformed keyspace, table, or replication_factor values that do not conform to safe CQL identifier patterns.
Specifically, you should look for keyspace and table names that contain characters other than letters, digits, and underscores, or that do not start with a letter. Also, replication_factor should be a positive integer.
Since the vulnerability requires write access to glances.conf, inspecting this file for unexpected or malicious entries is a primary detection method.
- Use grep or similar tools to find suspicious entries in glances.conf, for example:
- grep -E 'keyspace|table|replication_factor' /path/to/glances.conf
- Check for invalid keyspace or table names that do not match the regex ^[a-zA-Z][a-zA-Z0-9_]*$ using commands like:
- grep -P 'keyspace\s*=\s*[^a-zA-Z][^\s]*' /path/to/glances.conf
- Or write a small script to validate these identifiers against the regex pattern.
Additionally, monitoring unexpected network connections or data flows to unknown Cassandra keyspaces or tables controlled by an attacker may help detect exploitation.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Glances to version 4.5.4 or later, where the vulnerability is fixed by validating configuration inputs.
If upgrading immediately is not possible, restrict write access to the glances.conf configuration file to trusted users only, preventing attackers from modifying keyspace, table, or replication_factor values.
Manually review and sanitize the Cassandra export configuration values in glances.conf to ensure they conform to safe CQL identifier patterns: keyspace and table names must start with a letter and contain only letters, digits, and underscores; replication_factor must be a positive integer.
Consider disabling the Cassandra export feature temporarily if it is not essential, to prevent potential exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with write access to the configuration file to redirect sensitive monitoring data to an attacker-controlled Cassandra keyspace and table. This results in significant confidentiality and integrity breaches of monitoring data, which may include CPU, memory, network, and disk I/O statistics.
Such unauthorized data redirection and potential data exfiltration can lead to non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and authorized access.
Because the vulnerability enables an attacker to silently capture and manipulate monitoring data, organizations using affected versions of Glances may face risks related to data privacy violations and failure to maintain data integrity, both critical aspects of these compliance frameworks.
Can you explain this vulnerability to me?
CVE-2026-35588 is a CQL injection vulnerability in the Cassandra export module of the Glances monitoring tool. Before version 4.5.4, the module interpolated configuration values for keyspace, table, and replication_factor directly into CQL statements without validation. This allowed an attacker with write access to the glances.conf configuration file to inject malicious CQL commands by specifying crafted values for these parameters.
The vulnerability arises because the configuration values are not sanitized or validated, enabling an attacker to redirect monitoring data to an attacker-controlled Cassandra keyspace and table. The fix introduced strict validation using regular expressions to ensure that keyspace and table names start with a letter and contain only letters, digits, and underscores, and that the replication factor is a positive integer.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with write access to the Glances configuration file to redirect all monitoring data (such as CPU, memory, network, and disk I/O statistics) to a Cassandra keyspace and table controlled by the attacker.
This can lead to significant confidentiality and integrity breaches because sensitive monitoring data can be exfiltrated or manipulated without detection. Additionally, legitimate monitoring data may be lost or corrupted, impacting the reliability of system monitoring.