Fluid Attacks Database

Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (glances/exports/glances_cassandra/__init__.py) interpolates keyspace, table, and replication_factor configuration values directly into CQL statements without validation. A user with write access to glances.conf can redirect all monitoring data to an attacker-controlled Cassandra keyspace. Version 4.5.4 contains a fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	glances	>=0 <4.5.4	4.5.4
debian 12	glances	=3.3.1.1+dfsg-1 \|\| =3.4.0.3+dfsg-1 \|\| =4.0.5+dfsg-1 \|\| =4.1.2.1+dfsg-1 \|\| =4.2.1+dfsg-1 \|\| =4.3.0.8+dfsg-1 \|\| =4.3.1+dfsg-1 \|\| =4.3.3+dfsg-1 \|\| =4.5.1+dfsg-1 \|\| =4.5.2+dfsg-1 \|\| =4.5.3.2+dfsg-1 \|\| =4.5.4+dfsg-1	-
debian 14	glances	=4.3.1+dfsg-1 \|\| =4.3.3+dfsg-1 \|\| =4.5.1+dfsg-1 \|\| =4.5.2+dfsg-1 \|\| =4.5.3.2+dfsg-1 \|\| >=0 <4.5.4+dfsg-1	4.5.4+dfsg-1
debian 13	glances	=4.3.1+dfsg-1 \|\| =4.3.3+dfsg-1 \|\| =4.5.1+dfsg-1 \|\| =4.5.2+dfsg-1 \|\| =4.5.3.2+dfsg-1 \|\| =4.5.4+dfsg-1	-

Aliases

1. CVE-2026-355882. NVD-2026-355883. OSV-2026-355884. OSV-DEBIAN-2026-355885. GHSA-grp3-h8m8-45p76. GCVE-2026-355887. SECURITY-TRACKER-CVE-2026-35588

References

1. https://github.com/nicolargo/glances/security/advisories/GHSA-grp3-h8m8-45p72. https://github.com/nicolargo/glances/commit/d339181f03a14bb15506307e9d58f876e23d81603. https://github.com/nicolargo/glances/commit/e41b665576f9fd5374e3152078726cc59a01e48c