CVE-2026-35588 Overview
CVE-2026-35588 is a CQL (Cassandra Query Language) injection vulnerability in Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.4, the Cassandra export module (glances/exports/glances_cassandra/__init__.py) interpolates keyspace, table, and replication_factor configuration values directly into CQL statements without proper validation. This vulnerability enables an attacker with write access to glances.conf to redirect all monitoring data to an attacker-controlled Cassandra keyspace.
Critical Impact
A malicious user with write access to the Glances configuration file can manipulate CQL statements to exfiltrate sensitive monitoring data to an attacker-controlled Cassandra keyspace, potentially exposing system metrics and performance data.
Affected Products
- Nicolargo Glances versions prior to 4.5.4
- Glances Cassandra/Scylla export module (glances/exports/glances_cassandra/__init__.py)
- Systems using Glances with Cassandra data export enabled
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-35588 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-35588
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), specifically a CQL injection flaw in the Cassandra export functionality. The attack requires local access and elevated privileges—specifically, write access to the glances.conf configuration file. Once an attacker modifies the configuration, they can manipulate how Glances constructs CQL statements when exporting monitoring data to Cassandra.
The vulnerability allows attackers to control the destination keyspace where monitoring data is written, effectively enabling data exfiltration. The impact includes potential compromise of confidentiality (exposure of system monitoring data), integrity (manipulation of data storage location), and limited availability concerns.
Root Cause
The root cause of this vulnerability lies in the direct string interpolation of user-controlled configuration values (keyspace, table, and replication_factor) into CQL statements without any input validation or sanitization. The Cassandra export module trusted these configuration values implicitly, allowing malicious values to alter the intended CQL query behavior.
Attack Vector
The attack vector is local, requiring an attacker to have write access to the Glances configuration file (glances.conf). Once this access is obtained, the attacker can:
- Modify the keyspace, table, or replication_factor configuration values
- Inject malicious CQL syntax into these parameters
- Redirect monitoring data exports to an attacker-controlled Cassandra keyspace
- Potentially execute arbitrary CQL statements depending on the injection context
The security patch introduces input validation using regular expressions to ensure configuration values conform to expected patterns before being used in CQL statements:
"""Cassandra/Scylla interface class."""
+import re
import sys
from datetime import datetime
from numbers import Number
Source: GitHub Commit Update
The patch adds regex-based validation to sanitize the keyspace, table, and replication_factor parameters before they are interpolated into CQL statements.
Detection Methods for CVE-2026-35588
Indicators of Compromise
- Unexpected modifications to glances.conf configuration file, particularly in the Cassandra export section
- Unusual keyspace, table, or replication_factor values containing special characters or CQL syntax
- Network connections from Glances to unexpected Cassandra hosts or keyspaces
- Monitoring data appearing in unauthorized Cassandra keyspaces
Detection Strategies
- Monitor file integrity of glances.conf using file integrity monitoring (FIM) solutions
- Audit changes to Glances configuration files and correlate with authorized change requests
- Review Cassandra audit logs for unexpected keyspace creation or data insertion patterns
- Implement runtime application self-protection (RASP) to detect injection attempts
Monitoring Recommendations
- Enable audit logging for all configuration file modifications on systems running Glances
- Configure alerts for any changes to Cassandra export settings in Glances
- Monitor outbound network connections from Glances processes to identify unauthorized Cassandra endpoints
- Implement centralized logging to correlate configuration changes with suspicious activity
How to Mitigate CVE-2026-35588
Immediate Actions Required
- Upgrade Glances to version 4.5.4 or later immediately
- Audit glances.conf files for any unauthorized or suspicious modifications
- Review file permissions on configuration files to ensure only authorized users have write access
- Verify Cassandra export settings match expected and authorized values
Patch Information
The vulnerability has been addressed in Glances version 4.5.4. The fix implements input validation using regular expressions to sanitize keyspace, table, and replication_factor configuration values before they are used in CQL statements. For detailed information about the security fix, refer to the GitHub Security Advisory.
Security patches are available via the following commits:
Workarounds
- Restrict write access to glances.conf to only highly trusted administrators
- Disable the Cassandra export module if not actively required for operations
- Implement network segmentation to limit Glances connectivity to authorized Cassandra clusters only
- Use configuration management tools to enforce and monitor Glances configuration integrity
# Configuration example: Restrict glances.conf file permissions
chmod 600 /etc/glances/glances.conf
chown root:root /etc/glances/glances.conf
# Verify Cassandra export settings
grep -A 10 "\[cassandra\]" /etc/glances/glances.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
