Medium severity6.3NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026
CVE-2026-35588
CVE-2026-35588
Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (glances/exports/glances_cassandra/__init__.py) interpolates keyspace, table, and replication_factor configuration values directly into CQL statements without validation. A user with write access to glances.conf can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
glancesPyPI | < 4.5.4 | 4.5.4 |
Affected products
1Patches
2e41b665576f9Merge pull request #3520 from morimori-dev/fix/cassandra-cql-injection-ghsa-grp3-h8m8-45p7
1 file changed · +26 −0
glances/exports/glances_cassandra/__init__.py+26 −0 modified@@ -8,6 +8,7 @@ """Cassandra/Scylla interface class.""" +import re import sys from datetime import datetime from numbers import Number @@ -21,6 +22,19 @@ from glances.logger import logger +_CQL_IDENTIFIER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_]*$') + + +def _validate_cql_identifier(value, name): + """Raise ValueError if value is not a safe CQL identifier.""" + if not _CQL_IDENTIFIER_RE.match(str(value)): + raise ValueError( + f"Invalid CQL identifier for '{name}': {value!r}. " + "Only letters, digits, and underscores are allowed, and it must start with a letter." + ) + return str(value) + + class Export(GlancesExport): """This class manages the Cassandra/Scylla export module.""" @@ -47,6 +61,18 @@ def __init__(self, config=None, args=None): if not self.export_enable: sys.exit(2) + # Validate CQL identifiers to prevent injection via config values + try: + self.keyspace = _validate_cql_identifier(self.keyspace, 'keyspace') + self.table = _validate_cql_identifier(self.table, 'table') + self.replication_factor = int(self.replication_factor) + if self.replication_factor < 1: + raise ValueError("replication_factor must be a positive integer") + except ValueError as e: + logger.error(f"Cassandra configuration error: {e}") + self.export_enable = False + return + # Init the Cassandra client self.cluster, self.session = self.init()
d339181f03a1fix(cassandra): validate keyspace/table/replication_factor to prevent CQL injection
1 file changed · +25 −0
glances/exports/glances_cassandra/__init__.py+25 −0 modified@@ -8,6 +8,7 @@ """Cassandra/Scylla interface class.""" +import re import sys from datetime import datetime from numbers import Number @@ -21,6 +22,19 @@ from glances.logger import logger +_CQL_IDENTIFIER_RE = re.compile(r'^[a-zA-Z][a-zA-Z0-9_]*$') + + +def _validate_cql_identifier(value, name): + """Raise ValueError if value is not a safe CQL identifier.""" + if not _CQL_IDENTIFIER_RE.match(str(value)): + raise ValueError( + f"Invalid CQL identifier for '{name}': {value!r}. " + "Only letters, digits, and underscores are allowed, and it must start with a letter." + ) + return str(value) + + class Export(GlancesExport): """This class manages the Cassandra/Scylla export module.""" @@ -47,6 +61,17 @@ def __init__(self, config=None, args=None): if not self.export_enable: sys.exit(2) + # Validate CQL identifiers to prevent injection via config values + try: + self.keyspace = _validate_cql_identifier(self.keyspace, 'keyspace') + self.table = _validate_cql_identifier(self.table, 'table') + self.replication_factor = int(self.replication_factor) + if self.replication_factor < 1: + raise ValueError("replication_factor must be a positive integer") + except ValueError as e: + logger.critical(f"Cassandra configuration error: {e}") + sys.exit(2) + # Init the Cassandra client self.cluster, self.session = self.init()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d8160nvdPatchWEB
- github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48cnvdPatchWEB
- github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p7nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-grp3-h8m8-45p7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35588ghsaADVISORY
News mentions
1- Face value: What it takes to fool facial recognitionESET WeLiveSecurity · Mar 13, 2026