Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32611

CVE-2026-32611: Nicolargo Glances SQLI Vulnerability

CVE-2026-32611 is a SQL injection flaw in Nicolargo Glances DuckDB export module where table and column names from monitoring stats are interpolated unsafely. This article covers technical details, affected versions, and patches.

Published: March 20, 2026

CVE-2026-32611 Overview

CVE-2026-32611 is a critical SQL Injection vulnerability affecting Glances, an open-source cross-platform system monitoring tool. The vulnerability exists in the DuckDB export module (glances/exports/glances_duckdb/__init__.py) where table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While a previous fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module using parameterized queries, the DuckDB export module was not included in that remediation and contains the same class of vulnerability.

Critical Impact

Attackers with network access can exploit unsanitized SQL identifier interpolation in the DuckDB export module to execute arbitrary SQL commands, potentially leading to unauthorized data access and data manipulation.

Affected Products

  • Nicolargo Glances (versions prior to 4.5.3)

Discovery Timeline

  • 2026-03-18 - CVE CVE-2026-32611 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32611

Vulnerability Analysis

This vulnerability stems from an incomplete security fix. When the Glances development team addressed SQL injection in the TimescaleDB export module (GHSA-x46r), they converted SQL operations to use parameterized queries and psycopg.sql composable objects. However, the DuckDB export module was overlooked during this remediation effort and retained the vulnerable code pattern.

The core issue lies in how the DuckDB module constructs DDL (Data Definition Language) statements and table name references. While the INSERT statement values already use parameterized queries with ? placeholders, the identifier names (table names and column names) are not escaped or parameterized. This allows an attacker who can influence the monitoring statistics data to inject malicious SQL through crafted identifier names.

Root Cause

The root cause is improper input validation and lack of identifier sanitization in the DuckDB export module. When constructing SQL statements, the module uses Python f-strings to directly interpolate table and column names derived from monitoring statistics into SQL queries. DuckDB, like most SQL databases, requires proper escaping of identifiers using double-quote escaping conventions, which was not implemented in the vulnerable code.

Attack Vector

An attacker with network access to the Glances monitoring tool can exploit this vulnerability by injecting malicious SQL through crafted monitoring statistic names. Since the vulnerability exists in the export functionality, any data being exported to DuckDB that contains specially crafted identifiers could trigger SQL injection. The attack does not require authentication and can be executed remotely, potentially allowing attackers to read sensitive data, modify database contents, or manipulate the underlying DuckDB database.

python
# Security patch implementing proper identifier quoting
# Source: https://github.com/nicolargo/glances/commit/63b7da28895249d775202d639e5531ba63491a5c

from glances.exports.export import GlancesExport
from glances.logger import logger


def _quote_identifier(name):
    """Quote a SQL identifier to prevent injection.

    DuckDB uses standard double-quote escaping for identifiers.
    Any embedded double-quote is doubled to escape it.
    """
    return '"' + str(name).replace('"', '""') + '"'


# Define the type conversions for DuckDB
# https://duckdb.org/docs/stable/clients/python/conversion
convert_types = {

The security patch introduces a _quote_identifier() function that properly escapes SQL identifiers by wrapping them in double quotes and doubling any embedded double-quote characters, following DuckDB's standard escaping convention.

Detection Methods for CVE-2026-32611

Indicators of Compromise

  • Unusual or malformed table names in DuckDB database exports containing SQL metacharacters such as double quotes, semicolons, or SQL keywords
  • Error logs indicating SQL parsing failures or unexpected query structures in the Glances DuckDB export module
  • Unexpected database schema changes or tables created with suspicious names

Detection Strategies

  • Monitor Glances application logs for SQL syntax errors or unusual database operations
  • Implement database activity monitoring on DuckDB instances receiving Glances exports
  • Review network traffic for anomalous monitoring data payloads containing SQL injection patterns

Monitoring Recommendations

  • Enable verbose logging for the Glances DuckDB export module to capture all SQL operations
  • Implement alerting on database query failures that may indicate injection attempts
  • Audit DuckDB database schemas periodically for unauthorized or suspicious table and column names

How to Mitigate CVE-2026-32611

Immediate Actions Required

  • Upgrade Glances to version 4.5.3 or later which contains the complete fix for this vulnerability
  • If immediate upgrade is not possible, disable the DuckDB export module until patching is complete
  • Review DuckDB databases that received exports from vulnerable Glances instances for signs of exploitation

Patch Information

The vulnerability is fixed in Glances version 4.5.3. The security patch introduces proper identifier quoting using the _quote_identifier() function that escapes SQL identifiers according to DuckDB's double-quote escaping convention. The fix is available in commit 63b7da28895249d775202d639e5531ba63491a5c. For additional technical details, refer to the GitHub Security Advisory GHSA-49g7-2ww7-3vf5.

Workarounds

  • Disable the DuckDB export functionality by removing or commenting out the [duckdb] configuration section in glances.conf
  • Use alternative export modules (such as CSV or JSON) that do not involve SQL operations until the patch is applied
  • Implement network segmentation to restrict access to Glances monitoring endpoints
bash
# Configuration example - Disable DuckDB export by commenting out or removing this section
# In glances.conf:
# [duckdb]
# database=:memory:

# Alternative: Use in-memory database to limit exposure (still vulnerable but reduces persistence)
[duckdb]
database=:memory:

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSQLI
  • Vendor/TechNicolargo Glances
  • SeverityCRITICAL
  • CVSS Score9.1
  • EPSS Probability0.01%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-89
  • Technical References
  • GitHub Release v4.5.2
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Security Advisory GHSA-49g7-2ww7-3vf5
  • Related CVEs
  • CVE-2026-35588: Nicolargo Glances SQLi Vulnerability
  • CVE-2026-35587: Nicolargo Glances SSRF Vulnerability
  • CVE-2026-32632: Nicolargo Glances CSRF Vulnerability
  • CVE-2026-32633: Glances Information Disclosure Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English