CVE-2026-30928
published 2026-03-10CVE-2026-30928: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances…
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.66%
73.7th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.1+dfsg-1 (forky) | glances 4.5.1+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.1+dfsg-1 | 4.5.1+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.1 | 4.5.1 |
| nicolargo | glances | < 4.5.1 | 4.5.1 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: '"password": "[A-Za-z0-9_@.#&+-;$]*",'
- →Send a GET request to /api/4/config and inspect the JSON response body for credential fields (e.g., 'password', API tokens, JWT keys). A 200 response with Content-Type: application/json containing password fields indicates a vulnerable, unpatched Glances instance. ↗
- →Match HTTP responses from /api/4/config for the regex pattern '"password": "[A-Za-z0-9_@.#&+-;$]*",' in the body combined with 'application/json' in the Content-Type header and HTTP 200 status to confirm exploitation. ↗
- ·Exploitation requires API access to the Glances instance; the endpoint is not necessarily exposed to unauthenticated internet traffic by default, but misconfigured deployments may expose it publicly. ↗
- ·All Glances versions prior to 4.5.1 are affected. Debian 'trixie' remains open/unresolved as of the tracker snapshot. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-30928: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-10·CVSS 8.7
CVE-2026-30928 [HIGH] CVE-2026-30928: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
GHSA
Glances Exposes Unauthenticated Configuration Secrets
ghsa·2026-03-09
CVE-2026-30928 [HIGH] CWE-200 Glances Exposes Unauthenticated Configuration Secrets
Glances Exposes Unauthenticated Configuration Secrets
### Summary
The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.
### Details
Root Cause: The as_dict() method in config.py iterates over every section and every key in the ConfigParser and returns them all as a flat dictionary. No sensitive key filtering or redaction is applied.
Affected Code:
- _File: glances/outputs/glances_restful_api.py, lines 1154-1167_
```
def _api_config(self):
"""Glances API RESTful implementation.
Return the JSON representation of th
OSV
Glances Exposes Unauthenticated Configuration Secrets
osv·2026-03-09
CVE-2026-30928 [HIGH] Glances Exposes Unauthenticated Configuration Secrets
Glances Exposes Unauthenticated Configuration Secrets
### Summary
The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.
### Details
Root Cause: The as_dict() method in config.py iterates over every section and every key in the ConfigParser and returns them all as a flat dictionary. No sensitive key filtering or redaction is applied.
Affected Code:
- _File: glances/outputs/glances_restful_api.py, lines 1154-1167_
```
def _api_config(self):
"""Glances API RESTful implementation.
Return the JSON representation of th
Debian
CVE-2026-30928: glances - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1,...
vendor_debian·2026·CVSS 8.7
CVE-2026-30928 [HIGH] CVE-2026-30928: glances - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1,...
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
Scope: local
bookworm: resolved
forky: resolved (fixed in 4.5.1+dfsg-1)
sid: resolved (fixed in 4.5.1+dfsg-1)
trixie: open
No detection rules found.
Nuclei
Glances - Information Disclosure
nuclei·CVSS 8.7
CVE-2026-30928 [HIGH] Glances - Information Disclosure
Glances - Information Disclosure
Glances < 4.5.1 contains an information disclosure vulnerability caused by unfiltered exposure of sensitive configuration data via the /api/4/config REST API endpoint, letting remote attackers access credentials, exploit requires API access.
Template:
id: CVE-2026-30928
info:
name: Glances - Information Disclosure
author: theamanrawat
severity: high
description: |
Glances < 4.5.1 contains an information disclosure vulnerability caused by unfiltered exposure of sensitive configuration data via the /api/4/config REST API endpoint, letting remote attackers access credentials, exploit requires API access.
impact: |
Attackers can access sensitive credentials, including passwords and keys, leading to potential full system compromise.
remediation: |
Upgrade to
Bugzilla
CVE-2026-30928 glances: unauthenticated configuration secrets exposure [epel-all]
bugzilla·2026-03-10·CVSS 7.5
CVE-2026-30928 [HIGH] CVE-2026-30928 glances: unauthenticated configuration secrets exposure [epel-all]
CVE-2026-30928 glances: unauthenticated configuration secrets exposure [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-30928 glances: unauthenticated configuration secrets exposure [fedora-all]
bugzilla·2026-03-10·CVSS 7.5
CVE-2026-30928 [HIGH] CVE-2026-30928 glances: unauthenticated configuration secrets exposure [fedora-all]
CVE-2026-30928 glances: unauthenticated configuration secrets exposure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Wiz
CVE-2026-30928 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30928 [HIGH] CVE-2026-30928 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30928 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 87.3
Exploita
2026-03-10
Published