Glances is a widely used open-source cross-platform system monitoring tool that supports exporting monitoring data to various databases, including TimescaleDB and DuckDB. CVE-2026-32611 identifies an SQL injection vulnerability in the DuckDB export module of Glances versions prior to 4.5.2. The root cause lies in the unsafe construction of SQL Data Definition Language (DDL) statements and table/column identifiers using Python f-strings, which directly interpolate monitoring statistics-derived names without proper escaping or parameterization. While the actual data insertion queries use parameterized placeholders, the identifiers in the SQL statements are not sanitized, allowing an attacker to inject malicious SQL code by manipulating these names. This vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The issue was partially addressed in the TimescaleDB export module by converting all SQL operations to parameterized queries and composable objects, but the DuckDB module was overlooked until version 4.5.3. The vulnerability has a CVSS 3.1 base score of 7.0, with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, high confidentiality impact, low integrity impact, and low availability impact. No known exploits are currently reported in the wild. The flaw could allow remote attackers to execute arbitrary SQL commands, potentially exposing sensitive monitoring data or causing limited disruption to the monitoring database.

The SQL injection vulnerability in Glances' DuckDB export module can lead to unauthorized disclosure of sensitive system monitoring data, which may include performance metrics, system configurations, or other operational details. Although the integrity and availability impacts are rated low, attackers could manipulate or corrupt monitoring data, potentially misleading system administrators or automated systems relying on this data. Organizations using Glances with DuckDB export in vulnerable versions risk exposure of internal system information, which could be leveraged for further attacks or reconnaissance. Since Glances is used globally across various industries for system monitoring, the vulnerability poses a significant risk to enterprises, cloud providers, and managed service providers that integrate DuckDB for data export. The network-exploitable nature without authentication increases the threat surface, especially in environments where monitoring tools are exposed or accessible remotely. The absence of known exploits suggests limited active exploitation but does not diminish the urgency for remediation given the ease of exploitation and potential data confidentiality impact.

To mitigate this vulnerability, organizations should upgrade Glances to version 4.5.3 or later, where the DuckDB export module has been fixed to properly parameterize and escape SQL identifiers. Until upgrade is possible, administrators should restrict network access to the Glances monitoring service, ensuring it is not exposed to untrusted networks or users. Implement network segmentation and firewall rules to limit access to the monitoring endpoints. Review and sanitize any custom monitoring statistics or naming conventions that could be manipulated to inject SQL code. Additionally, monitor logs for unusual SQL errors or suspicious activity related to the DuckDB export functionality. Employ runtime application self-protection (RASP) or database activity monitoring (DAM) tools to detect and block anomalous SQL queries. Finally, consider disabling the DuckDB export module if it is not essential to reduce the attack surface.