GHSA-F2MF-Q878-GH58

Vulnerability from github – Published: 2026-01-06 18:04 – Updated: 2026-01-08 21:18
VLAI?
Summary
Parsl Monitoring Visualization Vulnerable to SQL Injection
Details

Affected Product: Parsl (Python Parallel Scripting Library)

Component: parsl.monitoring.visualization

Vulnerability Type: SQL Injection (CWE-89)

Severity: High (CVSS Rating Recommended: 7.5 - 8.6)

URL: https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py

Summary

A SQL Injection vulnerability exists in the parsl-visualize component of the Parsl library. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database.

Root Cause Analysis

The vulnerability is located in parsl/monitoring/visualization/views.py. Multiple route handlers take the workflow_id parameter from the URL and inject it directly into a raw SQL query string without sanitization or parameterization.

Vulnerable Code Snippet 1 

   query = """SELECT task.task_id, task.task_func_name, task.task_depends, status.task_status_name
               FROM task LEFT JOIN status
               ON task.task_id = status.task_id
               AND task.run_id = status.run_id
               AND status.timestamp = (SELECT MAX(status.timestamp)
                                       FROM status
                                       WHERE status.task_id = task.task_id and status.run_id = task.run_id
                                      )
               WHERE task.run_id='%s'""" % (workflow_id)

Vulnerable Code Snippet 2

df_task_tries = pd.read_sql_query("""SELECT ...
                                     WHERE task.task_id = try.task_id AND task.run_id='%s' and try.run_id='%s'"""
                                     % (workflow_id, workflow_id), db.engine) # <--- Vulnerable

Impact

Data Exfiltration: An attacker can use UNION based injection to dump the entire contents of the monitoring database, including potentially sensitive environment variables, task parameters, or host information logged by the monitoring system.

Access Control Bypass: By injecting boolean logic (e.g., ' OR '1'='1), an attacker could bypass specific workflow filters to view data they are not authorized to see.

Denial of Service: Time-based attacks or resource-intensive queries (e.g., randomblob) could crash the visualization server or the database.

Proof of Concept (PoC)

Prerequisites:

Parsl installed with monitoring enabled (pip install 'parsl[monitoring,visualization]').

A running parsl-visualize server serving a database with at least one recorded workflow.

Reproduction Steps:

Identify a valid workflow ID (or use a known ID like default-run or a UUID).

Navigate to the dag_group_by_states endpoint using the following manipulated URLs to confirm SQL logic control (Boolean-based Blind SQLi).

Test 1: Boolean FALSE (Graph Disappears) Injecting a false condition (1=0) causes the query to return zero rows, resulting in an empty visualization.

http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='0/dag_group_by_states

Test 2: Boolean TRUE (Graph Reappears) Injecting a true condition (1=1) restores the query logic, causing the graph to render correctly.

http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='1/dag_group_by_states

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "parsl"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.01.05"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-21892"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-06T18:04:21Z",
    "nvd_published_at": "2026-01-08T14:15:57Z",
    "severity": "MODERATE"
  },
  "details": "**Affected Product:** Parsl (Python Parallel Scripting Library)\n\n**Component:** parsl.monitoring.visualization\n\n**Vulnerability Type:** SQL Injection (CWE-89)\n\n**Severity:** High (CVSS Rating Recommended: 7.5 - 8.6)\n\n**URL:** [https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py]( https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py)\n\n**Summary**\n\nA SQL Injection vulnerability exists in the parsl-visualize component of the Parsl library. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database.\n\n**Root Cause Analysis**\n\nThe vulnerability is located in parsl/monitoring/visualization/views.py. Multiple route handlers take the workflow_id parameter from the URL and inject it directly into a raw SQL query string without sanitization or parameterization.\n\nVulnerable Code Snippet 1 \n\n```\n   query = \"\"\"SELECT task.task_id, task.task_func_name, task.task_depends, status.task_status_name\n               FROM task LEFT JOIN status\n               ON task.task_id = status.task_id\n               AND task.run_id = status.run_id\n               AND status.timestamp = (SELECT MAX(status.timestamp)\n                                       FROM status\n                                       WHERE status.task_id = task.task_id and status.run_id = task.run_id\n                                      )\n               WHERE task.run_id=\u0027%s\u0027\"\"\" % (workflow_id)\n```\n\nVulnerable Code Snippet 2\n```\ndf_task_tries = pd.read_sql_query(\"\"\"SELECT ...\n                                     WHERE task.task_id = try.task_id AND task.run_id=\u0027%s\u0027 and try.run_id=\u0027%s\u0027\"\"\"\n                                     % (workflow_id, workflow_id), db.engine) # \u003c--- Vulnerable \n```\n\n**Impact**\n\n**Data Exfiltration:** An attacker can use UNION based injection to dump the entire contents of the monitoring database, including potentially sensitive environment variables, task parameters, or host information logged by the monitoring system.\n\n**Access Control Bypass:** By injecting boolean logic (e.g., \u0027 OR \u00271\u0027=\u00271), an attacker could bypass specific workflow filters to view data they are not authorized to see.\n\n**Denial of Service:** Time-based attacks or resource-intensive queries (e.g., randomblob) could crash the visualization server or the database.\n\n**Proof of Concept (PoC)**\n\n**Prerequisites:**\n\nParsl installed with monitoring enabled (pip install \u0027parsl[monitoring,visualization]\u0027).\n\nA running parsl-visualize server serving a database with at least one recorded workflow.\n\n**Reproduction Steps:**\n\nIdentify a valid workflow ID (or use a known ID like default-run or a UUID).\n\nNavigate to the dag_group_by_states endpoint using the following manipulated URLs to confirm SQL logic control (Boolean-based Blind SQLi).\n\nTest 1: Boolean FALSE (Graph Disappears)\nInjecting a false condition (1=0) causes the query to return zero rows, resulting in an empty visualization.\n\n`http://\u003cserver\u003e:8080/workflow/\u003cVALID_ID\u003e\u0027%20AND%20\u00271\u0027=\u00270/dag_group_by_states\n`\n\nTest 2: Boolean TRUE (Graph Reappears)\nInjecting a true condition (1=1) restores the query logic, causing the graph to render correctly.\n\n`http://\u003cserver\u003e:8080/workflow/\u003cVALID_ID\u003e\u0027%20AND%20\u00271\u0027=\u00271/dag_group_by_states\n`",
  "id": "GHSA-f2mf-q878-gh58",
  "modified": "2026-01-08T21:18:52Z",
  "published": "2026-01-06T18:04:21Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21892"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Parsl/parsl"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Parsl Monitoring Visualization Vulnerable to SQL Injection"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.