CVE-2026-30928 in glances
Summary
by MITRE • 03/10/2026
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/18/2026
The vulnerability identified as CVE-2026-30928 affects Glances, a popular cross-platform system monitoring tool that provides real-time insights into system performance metrics. This issue stems from a critical design flaw in the REST API implementation where the /api/4/config endpoint exposes sensitive configuration data without proper sanitization or filtering mechanisms. The vulnerability exists in versions prior to 4.5.1, making all earlier releases susceptible to information disclosure attacks that could compromise the security posture of systems relying on this monitoring solution.
The technical flaw manifests through the improper handling of the configuration file retrieval process where the API endpoint directly returns the output of self.config.as_dict() without removing sensitive information from the configuration structure. This method call exposes the complete parsed configuration file including database credentials, API tokens, JWT signing keys, and SSL key passwords that are typically stored in the glances.conf file. The vulnerability represents a classic case of insufficient output filtering and inadequate access control measures, allowing unauthorized users to extract privileged information through simple API requests.
The operational impact of this vulnerability is severe as it enables attackers to gain access to authentication credentials and cryptographic keys used by the monitoring tool to connect to backend services. This exposure could allow adversaries to escalate their privileges within the monitored environment, potentially gaining access to databases, cloud services, or other backend systems that rely on the credentials stored in the configuration file. The compromise of JWT signing keys particularly poses a significant risk as it could enable attackers to forge authentication tokens and impersonate legitimate users within the system.
Mitigation strategies for this vulnerability should focus on implementing proper input validation and output filtering mechanisms within the API endpoint to ensure sensitive configuration values are not exposed. The fix implemented in version 4.5.1 likely involves sanitizing the configuration data before returning it through the REST API, removing or masking sensitive fields such as passwords, tokens, and cryptographic keys. Organizations should immediately upgrade to version 4.5.1 or later to address this vulnerability. Additionally, implementing network segmentation and access controls around the Glances API endpoints can provide additional defense-in-depth measures. This vulnerability aligns with CWE-209, which addresses information exposure through improper error handling, and relates to ATT&CK technique T1566, which involves credential access through exploitation of system vulnerabilities. The remediation process should also include rotating all affected credentials and keys that may have been exposed due to this vulnerability, as the configuration file may have been accessible to unauthorized parties during the vulnerable period.