The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-30930

CVE-2026-30930: Glances SQL Injection Vulnerability

CVE-2026-30930 is a SQL injection flaw in Glances that allows attackers to execute arbitrary SQL queries through unsanitized system data. This article covers technical details, affected versions, and mitigation steps.

Published: March 13, 2026

CVE-2026-30930 Overview

Glances is an open-source system cross-platform monitoring tool. A SQL injection vulnerability exists in versions prior to 4.5.1 within the TimescaleDB export module. The module constructs SQL queries using string concatenation with unsanitized system monitoring data. The normalize() method wraps string values in single quotes but does not escape embedded single quotes, making SQL injection trivial via attacker-controlled data such as process names, filesystem mount points, network interface names, or container names.

Critical Impact

Attackers can achieve SQL injection through attacker-controlled system data like process names, mount points, or container names, potentially leading to data exfiltration, modification, or destruction in connected TimescaleDB databases.

Affected Products

  • Glances versions prior to 4.5.1
  • Systems using the TimescaleDB export module
  • Environments monitoring untrusted process names, filesystem mount points, network interfaces, or container names

Discovery Timeline

  • 2026-03-10 - CVE CVE-2026-30930 published to NVD
  • 2026-03-11 - Last updated in NVD database

Technical Details for CVE-2026-30930

Vulnerability Analysis

This vulnerability affects the TimescaleDB export functionality in Glances. The root cause lies in improper input validation when constructing SQL queries from system monitoring data. The application's normalize() method attempts to sanitize string values by wrapping them in single quotes, but critically fails to escape single quotes that may be embedded within the data itself.

Since Glances monitors various system metrics including process names, filesystem mount points, network interface names, and container names, an attacker with the ability to control any of these values can inject malicious SQL code. For example, a malicious process name containing SQL metacharacters could be crafted to break out of the string context and execute arbitrary SQL commands against the connected TimescaleDB instance.

The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which is one of the most common and dangerous vulnerability types in software applications.

Root Cause

The vulnerability stems from the normalize() method's incomplete string sanitization. While the method wraps string values in single quotes to create SQL string literals, it fails to escape embedded single quotes within the input data. This classic SQL injection pattern allows attackers to terminate the string literal prematurely and inject arbitrary SQL syntax.

Attack Vector

The attack requires local access to the system being monitored by Glances. An attacker can exploit this vulnerability by creating system artifacts with malicious names, such as:

  • Creating processes with SQL injection payloads in their names
  • Mounting filesystems with crafted mount point paths
  • Configuring network interfaces with malicious names
  • Creating Docker/container names containing SQL injection strings

When Glances collects and exports this monitoring data to TimescaleDB, the unsanitized values are incorporated directly into SQL queries, allowing the injected code to execute against the database.

The vulnerability mechanism works as follows: when the TimescaleDB export module processes system data, string values are passed through the normalize() method which wraps them in single quotes. However, if the input contains a single quote character, the attacker can escape the string context. For example, a process named test'; DROP TABLE stats; -- would result in the quote being closed prematurely, allowing subsequent SQL commands to execute.

For detailed technical analysis, see the GitHub Security Advisory.

Detection Methods for CVE-2026-30930

Indicators of Compromise

  • Unusual process names containing SQL syntax or special characters (single quotes, semicolons, comment indicators)
  • Unexpected filesystem mount points with SQL injection patterns in their paths
  • Container or network interface names with suspicious string patterns
  • Anomalous SQL query patterns in TimescaleDB logs
  • Database errors indicating malformed SQL queries from Glances exports

Detection Strategies

  • Monitor for processes with names containing SQL metacharacters such as single quotes, semicolons, or SQL keywords
  • Implement database query logging and alerting for anomalous SQL patterns from Glances connections
  • Review TimescaleDB logs for SQL syntax errors that may indicate injection attempts
  • Deploy application-level monitoring to detect unexpected data patterns in Glances export operations

Monitoring Recommendations

  • Enable detailed query logging on TimescaleDB instances receiving Glances data
  • Implement alerts for SQL errors originating from Glances export connections
  • Monitor system for creation of processes, mount points, or containers with suspicious naming patterns
  • Review Glances configuration to identify all active export modules and their database connections

How to Mitigate CVE-2026-30930

Immediate Actions Required

  • Upgrade Glances to version 4.5.1 or later immediately
  • If upgrade is not immediately possible, disable the TimescaleDB export module until patched
  • Review TimescaleDB logs for evidence of exploitation attempts
  • Audit systems for suspicious process names, mount points, or container names that may contain SQL injection payloads
  • Restrict database permissions for the Glances TimescaleDB user to minimum required privileges

Patch Information

The vulnerability has been fixed in Glances version 4.5.1. The fix addresses the SQL injection issue by properly escaping embedded single quotes in the normalize() method before constructing SQL queries.

Patch Resources:

  • GitHub Release v4.5.1
  • GitHub Commit with Fix

Workarounds

  • Disable the TimescaleDB export module if not critical to operations until upgrade can be performed
  • Implement network segmentation to restrict Glances database connectivity
  • Apply strict database user permissions to limit potential damage from SQL injection
  • Monitor and sanitize system artifact names (processes, mount points, containers) at the OS level to prevent malicious input
  • Consider using alternative export modules that do not have this vulnerability
bash
# Configuration example - Disable TimescaleDB export in glances.conf
# Edit the Glances configuration file
# Locate and comment out or remove the TimescaleDB section

[timescaledb]
# Disable by commenting out the host configuration
# host=localhost
# port=5432
# user=glances
# password=glances
# db=glances

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSQLI
  • Vendor/TechGlances
  • SeverityHIGH
  • CVSS Score8.6
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-89
  • Technical References
  • GitHub Commit Update
  • GitHub Release v4.5.1
  • GitHub Security Advisory GHSA-x46r-mf5g-xpr6
  • Related CVEs
  • CVE-2026-33641: Glances Privilege Escalation Vulnerability
  • CVE-2026-33533: Glances Information Disclosure Vulnerability
  • CVE-2026-32610: Glances REST API CORS XSS Vulnerability
  • CVE-2026-30928: Glances Information Disclosure Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English