CVE-2026-35588 PUBLISHED

Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values

Assigner: GitHub_M
Reserved: 03.04.2026 Published: 20.04.2026 Updated: 20.04.2026

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (glances/exports/glances_cassandra/__init__.py) interpolates keyspace, table, and replication_factor configuration values directly into CQL statements without validation. A user with write access to glances.conf can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
CVSS Score: 6.3

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	nicolargo
Product	glances
Versions	Version < 4.5.4 is affected

References

Problem Types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE