Strobes VIStrobes VI
CVE DatabaseThreat ActorsResearchAPI Docs
Visit Strobes.coSign Up for Strobes
CVE DatabaseThreat ActorsResearchAPI Docs
Tools
KB Lookup
Visit Strobes.coSign Up for Strobes
HomeCVEs

Do you like the insights?

Strobes vulnerability intelligence is a key component of their Exposure Management platform that helps organizations understand, prioritize, and address security vulnerabilities more effectively.

© 2026 Strobes Security. All rights reserved.
HomeCVEsCVE-2026-21892

CVE-2026-21892

Published: January 28, 2026
Last updated:21 hours ago (January 28, 2026)
Exploit: NoZero-day: NoPatch: YesTrend: Neutral
TL;DR
Updated January 28, 2026

CVE-2026-21892 is a high severity vulnerability with a CVSS score of 7.3. No known exploits currently, and patches are available.

Key Points
  • 1High severity (CVSS 7.3/10)
  • 2No known public exploits
  • 3Vendor patches are available
  • 4Strobes Priority Score: 477/1000 (Medium)
  • 5Affects products from: Uchicago
Severity Scores
CVSS v37.3
CVSS v20.0
Priority Score477.0
EPSS Score0.0
High
Exploitation LikelihoodMinimal
0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow
0.00%
EPSS
7.3
CVSS
No
Exploit
Yes
Patch
Low Priority
no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Affected Product: Parsl (Python Parallel Scripting Library)

Component: parsl.monitoring.visualization

Vulnerability Type: SQL Injection (CWE-89)

Severity: High (CVSS Rating Recommended: 7.5 - 8.6)

URL: https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py

Summary

A SQL Injection vulnerability exists in the parsl-visualize component of the Parsl library. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database.

Root Cause Analysis

The vulnerability is located in parsl/monitoring/visualization/views.py. Multiple route handlers take the workflow_id parameter from the URL and inject it directly into a raw SQL query string without sanitization or parameterization.

Vulnerable Code Snippet 1

   query = """SELECT task.task_id, task.task_func_name, task.task_depends, status.task_status_name
               FROM task LEFT JOIN status
               ON task.task_id = status.task_id
               AND task.run_id = status.run_id
               AND status.timestamp = (SELECT MAX(status.timestamp)
                                       FROM status
                                       WHERE status.task_id = task.task_id and status.run_id = task.run_id
                                      )
               WHERE task.run_id='%s'""" % (workflow_id)

Vulnerable Code Snippet 2

df_task_tries = pd.read_sql_query("""SELECT ...
                                     WHERE task.task_id = try.task_id AND task.run_id='%s' and try.run_id='%s'"""
                                     % (workflow_id, workflow_id), db.engine) # <--- Vulnerable

Impact

Data Exfiltration: An attacker can use UNION based injection to dump the entire contents of the monitoring database, including potentially sensitive environment variables, task parameters, or host information logged by the monitoring system.

Access Control Bypass: By injecting boolean logic (e.g., ' OR '1'='1), an attacker could bypass specific workflow filters to view data they are not authorized to see.

Denial of Service: Time-based attacks or resource-intensive queries (e.g., randomblob) could crash the visualization server or the database.

Proof of Concept (PoC)

Prerequisites:

Parsl installed with monitoring enabled (pip install 'parsl[monitoring,visualization]').

A running parsl-visualize server serving a database with at least one recorded workflow.

Reproduction Steps:

Identify a valid workflow ID (or use a known ID like default-run or a UUID).

Navigate to the dag_group_by_states endpoint using the following manipulated URLs to confirm SQL logic control (Boolean-based Blind SQLi).

Test 1: Boolean FALSE (Graph Disappears) Injecting a false condition (1=0) causes the query to return zero rows, resulting in an empty visualization.

http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='0/dag_group_by_states

Test 2: Boolean TRUE (Graph Reappears) Injecting a true condition (1=1) restores the query logic, causing the graph to render correctly.

http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='1/dag_group_by_states

CVSS v3 Breakdown
Attack Vector:Network
Attack Complexity:Local
Privileges Required:Network
User Interaction:Network
Scope:Unchanged
Confidentiality:Local
Integrity:Local
Availability:Local
Patch References
Github.comSecurity [email protected]
Trend Analysis
Neutral
Vulnerable Products
VendorProduct
UchicagoParsl
Advisories
GitHub Advisory
NVD: Parsl is a Python parallel scripting library. A SQL Injection vulnerability exists in the parsl-visualize component of versions prior to 2026.01.05. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Version 2026.01.05 fixes the issue.
Cite This Page
APA Format
Strobes VI. (2026). CVE-2026-21892 - CVE Details and Analysis. Strobes VI. Retrieved January 29, 2026, from https://vi.strobes.co/cve/CVE-2026-21892
Quick copy link + title

Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.