PYSEC-2026-1759

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/parsl/PYSEC-2026-1759.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1759
Aliases
Published
2026-07-07T16:03:16.784288Z
Modified
2026-07-07T17:47:47.650239077Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Parsl Monitoring Visualization Vulnerable to SQL Injection
Details

Affected Product: Parsl (Python Parallel Scripting Library)

Component: parsl.monitoring.visualization

Vulnerability Type: SQL Injection (CWE-89)

Severity: High (CVSS Rating Recommended: 7.5 - 8.6)

URL: https://github.com/Parsl/parsl/blob/master/parsl/monitoring/visualization/views.py

Summary

A SQL Injection vulnerability exists in the parsl-visualize component of the Parsl library. The application constructs SQL queries using unsafe string formatting (Python % operator) with user-supplied input (workflow_id) directly from URL routes. This allows an unauthenticated attacker with access to the visualization dashboard to inject arbitrary SQL commands, potentially leading to data exfiltration or denial of service against the monitoring database.

Root Cause Analysis

The vulnerability is located in parsl/monitoring/visualization/views.py. Multiple route handlers take the workflow_id parameter from the URL and inject it directly into a raw SQL query string without sanitization or parameterization.

Vulnerable Code Snippet 1

   query = """SELECT task.task_id, task.task_func_name, task.task_depends, status.task_status_name
               FROM task LEFT JOIN status
               ON task.task_id = status.task_id
               AND task.run_id = status.run_id
               AND status.timestamp = (SELECT MAX(status.timestamp)
                                       FROM status
                                       WHERE status.task_id = task.task_id and status.run_id = task.run_id
                                      )
               WHERE task.run_id='%s'""" % (workflow_id)

Vulnerable Code Snippet 2

df_task_tries = pd.read_sql_query("""SELECT ...
                                     WHERE task.task_id = try.task_id AND task.run_id='%s' and try.run_id='%s'"""
                                     % (workflow_id, workflow_id), db.engine) # <--- Vulnerable 

Impact

Data Exfiltration: An attacker can use UNION based injection to dump the entire contents of the monitoring database, including potentially sensitive environment variables, task parameters, or host information logged by the monitoring system.

Access Control Bypass: By injecting boolean logic (e.g., ' OR '1'='1), an attacker could bypass specific workflow filters to view data they are not authorized to see.

Denial of Service: Time-based attacks or resource-intensive queries (e.g., randomblob) could crash the visualization server or the database.

Proof of Concept (PoC)

Prerequisites:

Parsl installed with monitoring enabled (pip install 'parsl[monitoring,visualization]').

A running parsl-visualize server serving a database with at least one recorded workflow.

Reproduction Steps:

Identify a valid workflow ID (or use a known ID like default-run or a UUID).

Navigate to the daggroupby_states endpoint using the following manipulated URLs to confirm SQL logic control (Boolean-based Blind SQLi).

Test 1: Boolean FALSE (Graph Disappears) Injecting a false condition (1=0) causes the query to return zero rows, resulting in an empty visualization.

http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='0/dag_group_by_states

Test 2: Boolean TRUE (Graph Reappears) Injecting a true condition (1=1) restores the query logic, causing the graph to render correctly.

http://<server>:8080/workflow/<VALID_ID>'%20AND%20'1'='1/dag_group_by_states

References

Affected packages

PyPI / parsl

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.01.05

Affected versions

0.*
0.1.1
0.1.2
0.2.0
0.2.1
0.3.0a0
0.3.0
0.3.1
0.4.0a0
0.4.0
0.4.1
0.5.0a0
0.5.0a1
0.5.0
0.5.1
0.5.2
0.6.0a0
0.6.0
0.6.1a0
0.6.1
0.6.2a0
0.6.2a1
0.7.0a0
0.7.0a1
0.7.0
0.7.1
0.7.2a0
0.7.2a1
0.7.2
0.8.0a0
0.8.0
0.9.0a0
0.9.0
1.*
1.0.0a0
1.0.0
1.1.0a0
1.1.0a1
1.1.0
1.2.0
1.3.0.dev0
1.3.0.dev1
2022.*
2022.10.4
2022.10.10
2022.10.17
2022.10.24
2022.10.31
2022.11.7
2022.11.14
2022.11.21
2022.11.28
2022.12.5
2022.12.12
2022.12.19
2022.12.26
2023.*
2023.1.2
2023.1.9
2023.1.16
2023.1.23
2023.1.30
2023.2.6
2023.2.13
2023.2.20
2023.2.27
2023.3.6
2023.3.13
2023.3.20
2023.3.27
2023.4.3
2023.4.10
2023.4.17
2023.4.24
2023.5.1
2023.5.8
2023.5.15
2023.5.22
2023.5.29
2023.6.5
2023.6.12
2023.6.19
2023.6.26
2023.7.3
2023.7.10
2023.7.17
2023.7.24
2023.7.31
2023.8.7
2023.8.14
2023.8.21
2023.8.28
2023.9.4
2023.9.11
2023.9.18
2023.9.25
2023.10.2
2023.10.9
2023.10.16
2023.10.23
2023.11.13
2023.11.20
2023.11.27
2023.12.4
2023.12.11
2023.12.18
2023.12.25
2024.*
2024.1.1
2024.1.8
2024.1.15
2024.1.22
2024.1.29
2024.2.5
2024.2.12
2024.2.19
2024.2.26
2024.3.4
2024.3.11
2024.3.18
2024.3.25
2024.4.1
2024.4.8
2024.4.15
2024.4.22
2024.4.29
2024.5.6
2024.5.13
2024.5.20
2024.5.27
2024.6.3
2024.6.10
2024.6.17
2024.6.24
2024.7.1
2024.7.8
2024.7.15
2024.7.22
2024.7.29
2024.8.5
2024.8.12
2024.8.19
2024.8.26
2024.9.2
2024.9.9
2024.9.16
2024.9.23
2024.9.30
2024.10.7
2024.10.14
2024.10.21
2024.10.28
2024.11.4
2024.11.11
2024.11.18
2024.11.25
2024.12.2
2024.12.9
2024.12.16
2024.12.23
2024.12.30
2025.*
2025.1.6
2025.1.13
2025.1.20
2025.1.27
2025.2.3
2025.2.10
2025.2.17
2025.2.24
2025.3.3
2025.3.10
2025.3.17
2025.3.24
2025.3.31
2025.4.7
2025.4.14
2025.4.21
2025.4.28
2025.5.5
2025.5.12
2025.5.19
2025.5.26
2025.6.2
2025.6.9
2025.6.16
2025.6.23
2025.6.30
2025.7.7
2025.7.14
2025.7.21
2025.7.28
2025.8.4
2025.8.11
2025.8.18
2025.8.25
2025.9.1
2025.9.8
2025.9.15
2025.9.22
2025.9.29
2025.10.6
2025.10.13
2025.10.20
2025.10.27
2025.11.3
2025.11.10
2025.11.17
2025.11.24
2025.12.1
2025.12.8
2025.12.15
2025.12.22
2025.12.29

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/parsl/PYSEC-2026-1759.yaml"