Glances, CQL Injection, CVE-2026-35588 (Critical)

Listen to this Post

The vulnerability exists because the Cassandra export module (glances/exports/glances_cassandra/__init__.py) directly interpolates the keyspace, table, and `replication_factor` configuration values into CQL statements without any validation or sanitization. Specifically, on line 80, the CREATE KEYSPACE statement is built using an f-string that embeds `self.keyspace` and self.replication_factor. On line 94, the CREATE TABLE statement is constructed similarly using self.table. Later, on line 112, an INSERT statement is formed with `self.table` again. A local user who can write to `glances.conf` can therefore set a malicious `table` value that includes a different keyspace (e.g., attacker_ks.captured_stats). When Glances is run with the Cassandra export module enabled, it executes the unsanitized CQL commands, causing all monitoring data—CPU, memory, network, disk I/O—to be inserted into the attacker‑controlled table instead of the intended legitimate table. The provided reproduction steps confirm that the legitimate table receives zero rows while the attacker’s table gets the data, proving successful exploitation.

DailyCVE Form:

Platform: Glances
Version: <4.5.4
Vulnerability: CQL Injection
Severity: Critical
Date: 2026-04-21

Prediction: 2026-04-20

What Undercode Say:

Confirm Glances version (vulnerable if <4.5.4)
glances --version
Edit glances.conf to inject malicious table value
echo "[bash]
host = 127.0.0.1
port = 9042
keyspace = glances
table = attacker_ks.captured_stats" >> ~/.config/glances/glances.conf
Create the attacker keyspace in Cassandra
cqlsh -e "CREATE KEYSPACE attacker_ks WITH replication = {'class': 'SimpleStrategy', 'replication_factor': 1};"
Run Glances with Cassandra export
glances --export cassandra
Verify redirection: attacker table gets data, legitimate table gets none
cqlsh -e "SELECT COUNT() FROM glances.cpu;"
cqlsh -e "SELECT COUNT() FROM attacker_ks.captured_stats;"

How Exploit:

A local user with write access to `glances.conf` sets the `table` parameter to a value that includes a different keyspace (e.g., attacker_ks.captured_stats). When Glances runs, it executes the unsanitized CQL statements, redirecting all monitoring data to the attacker‑controlled keyspace without any error or notification.

Protection from this CVE:

Upgrade to Glances version 4.5.4 or later, which introduces a validation function (_validate_cql_identifier) that ensures `keyspace` and `table` values contain only allowed characters ([a-zA-Z_][a-zA-Z0-9_.]). Alternatively, restrict write access to `glances.conf` and review any existing configuration for suspicious keyspace/table values.

Impact:

Successful exploitation leads to complete redirection of all exported monitoring data (CPU, memory, network, disk I/O) to an attacker‑controlled Cassandra keyspace. This results in both data exfiltration (the attacker can read the stolen metrics) and data loss (the legitimate monitoring data is never written to the intended location).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top