Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
Published: 2026-03-10
Score: 8.7 High
EPSS: 8.5% Low
KEV: No
Impact: Exposure of configuration secrets and credentials
Action: Update
AI Analysis

Impact

Glances versions prior to 4.5.1 expose the entire parsed configuration file through the /api/4/config REST endpoint without any filtering of sensitive values. The configuration contains database passwords, API tokens, JWT signing keys, and SSL key passwords. An attacker that can reach the endpoint can retrieve these credentials, enabling subsequent attacks such as unauthorized database access, token misuse, or privilege escalation, thereby compromising confidentiality and potentially integrity of the protected systems.

Affected Systems

The vulnerability affects the nicolargo Glances monitoring tool in all releases before 4.5.1. This includes version 4.5.0 and any earlier stable builds. The affected product is the Glances system cross‑platform monitoring application.

Risk and Exploitability

An unauthenticated attacker with network access to a Glances instance can call the /api/4/config endpoint and obtain the full configuration file, including database passwords, API tokens, JWT signing keys, and SSL key passwords. This allows the attacker to compromise backend services, gain unauthorized database access, hijack JWT tokens or use SSL key material to decrypt traffic. The CVSS score of 8.7 reflects this high impact; the EPSS score of 8% indicates a moderate probability of exploitation in the wild, and the vulnerability is not yet listed in the CISA KEV catalog. The lack of authentication on the endpoint makes the attack straightforward, and the exposure of sensitive credentials can lead to serious confidentiality breaches of both the monitoring tool and the services it observes.

Generated by OpenCVE AI on April 21, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.1 or later, where the API endpoint filters out sensitive fields.
  • If an upgrade is not immediately possible, restrict network access to the /api/4/config endpoint using firewall rules or host‑based access controls so only trusted management hosts can query it.
  • Review the configuration of backend services to ensure credentials are stored securely and consider moving them to separate, protected configuration files.
  • Apply general best practices for hardening the Glances API, such as enabling authentication or rate limiting on the monitoring service.

Generated by OpenCVE AI on April 21, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gh4x-f7cq-wwx6 Glances Exposes Unauthenticated Configuration Secrets
History

Tue, 17 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Tue, 10 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
Title Glances Exposes Unauthenticated Configuration Secrets
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T16:41:10.278Z

Reserved: 2026-03-07T16:40:05.885Z

Link: CVE-2026-30928

cve-icon Vulnrichment

Updated: 2026-03-10T16:40:51.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T18:18:52.627

Modified: 2026-03-17T16:20:29.660

Link: CVE-2026-30928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:45:02Z

Weaknesses