CVE-2026-32611
Published: 18 March 2026
Summary
CVE-2026-32611 is a high-severity SQL Injection (CWE-89) vulnerability in Nicolargo Glances. Its CVSS base score is 7.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of table and column names derived from monitoring statistics before interpolation into DuckDB SQL statements, directly preventing SQL injection exploitation.
Mandates timely identification, reporting, and patching of flaws like the DuckDB SQL injection in Glances, such as upgrading to version 4.5.3.
Provides vulnerability scanning to identify SQL injection vulnerabilities in applications like Glances' DuckDB export module prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible Glances export module directly matches the definition of exploiting a public-facing application (T1190) to achieve data extraction and limited modification/DoS on the backend database.
NVD Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`)…
more
was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
Deeper analysisAI
CVE-2026-32611 is a SQL injection vulnerability (CWE-89) affecting Glances, an open-source cross-platform system monitoring tool. The issue resides in the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`), where table names and column names derived from monitoring statistics are directly interpolated into SQL statements using f-strings. Although a prior fix for GHSA-x46r (commit 39161f0) addressed a similar SQL injection in the TimescaleDB export module by adopting parameterized queries and `psycopg.sql` composable objects, the DuckDB module was overlooked. In DuckDB, while INSERT values use parameterized queries with `?` placeholders, the DDL construction and table name references lack proper escaping or parameterization for identifiers. The vulnerability is scored at CVSS 7.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L) and was published on 2026-03-18.
A remote unauthenticated attacker (PR:N) with network access (AV:N) can exploit this vulnerability, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation enables high confidentiality impact (C:H) through data extraction from the DuckDB database, alongside low integrity (I:L) and availability (A:L) impacts within unchanged scope (S:U), such as limited data modification or denial of service on the database.
Advisories and patches, including GHSA-49g7-2ww7-3vf5, recommend upgrading to Glances version 4.5.3, which provides a more complete fix. The remediation commit is available at https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c, and release notes for v4.5.2 are at https://github.com/nicolargo/glances/releases/tag/v4.5.2, though the full DuckDB fix appears in 4.5.3.
Details
- CWE(s)