Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2026-21892
CVE-2026-21892:
Python vulnerability analysis and mitigation
Affected Product: Parsl (Python Parallel Scripting Library) Component: parsl.monitoring.visualization Vulnerability Type: SQL Injection (CWE-89) Severity: High (CVSS Rating Recommended: 7.5 - 8.6) URL: https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py Summary A SQL Injection vulnerability exists in the parsl-visualize component of the Parsl library. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database. Root Cause Analysis The vulnerability is located in parsl/monitoring/visualization/views.py. Multiple route handlers take the workflow_id parameter from the URL and inject it directly into a raw SQL query string without sanitization or parameterization. Vulnerable Code Snippet 1
query = """SELECT task.task_id, task.task_func_name, task.task_depends, status.task_status_name
FROM task LEFT JOIN status
ON task.task_id = status.task_id
AND task.run_id = status.run_id
AND status.timestamp = (SELECT MAX(status.timestamp)
FROM status
WHERE status.task_id = task.task_id and status.run_id = task.run_id
)
WHERE task.run_id='%s'""" % (workflow_id)Vulnerable Code Snippet 2
df_task_tries = pd.read_sql_query("""SELECT ...
WHERE task.task_id = try.task_id AND task.run_id='%s' and try.run_id='%s'"""
% (workflow_id, workflow_id), db.engine) # <--- Vulnerable Impact
Data Exfiltration: An attacker can use UNION based injection to dump the entire contents of the monitoring database, including potentially sensitive environment variables, task parameters, or host information logged by the monitoring system.
Access Control Bypass: By injecting boolean logic (e.g., ' OR '1'='1), an attacker could bypass specific workflow filters to view data they are not authorized to see.
Denial of Service: Time-based attacks or resource-intensive queries (e.g., randomblob) could crash the visualization server or the database.
Proof of Concept (PoC)
Prerequisites:
Parsl installed with monitoring enabled (pip install 'parsl[monitoring,visualization]').
A running parsl-visualize server serving a database with at least one recorded workflow.
Reproduction Steps:
Identify a valid workflow ID (or use a known ID like default-run or a UUID).
Navigate to the dag_group_by_states endpoint using the following manipulated URLs to confirm SQL logic control (Boolean-based Blind SQLi).
Test 1: Boolean FALSE (Graph Disappears)
Injecting a false condition (1=0) causes the query to return zero rows, resulting in an empty visualization.
http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='0/dag_group_by_states
Test 2: Boolean TRUE (Graph Reappears)
Injecting a true condition (1=1) restores the query logic, causing the graph to render correctly.
http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='1/dag_group_by_states
Source: NVD
Related Python vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management