Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.
Published: 2026-04-02
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection leading to Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Glances allowed dynamic configuration values where substrings wrapped in backticks are interpreted as shell commands and executed during configuration parsing. Because the code path in Config.get_value() does not validate or restrict these commands, an attacker who can modify the configuration file can inject arbitrary shell commands. If Glances runs with elevated privileges, such injection can lead to privilege escalation and compromise the host. The weakness matches CWE‑78: Improper Neutralization of Special Elements used in an OS Command.

Affected Systems

The vulnerability affects the Glances system monitoring tool from nicolargo. All versions prior to 4.5.3 are impacted, including any deployments where the service runs as root or another privileged account. The official fix is delivered in release 4.5.3, which removes execution of backticked expressions and sanitises configuration values. If the application is still running an older release, it remains susceptible.

Risk and Exploitability

With a CVSS base score of 7.8 the vulnerability is considered high risk. However, the EPSS score indicates that exploitation likelihood is below 1 %. The issue has not been listed in CISA’s KEV catalog, suggesting no widespread automated exploitation. The attack requires the attacker to write to the Glances configuration file or otherwise influence its content, which may be possible through local access, compromised user accounts, or network exposure of configuration endpoints. If vulnerable, an attacker can execute arbitrary commands with the same privileges as the Glances process, potentially gaining root access on systems where the service runs as root.

Generated by OpenCVE AI on April 7, 2026 at 19:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Glances to version 4.5.3 or later, which removes the vulnerability.
  • After applying the patch, ensure the configuration directory and files are owned by the Glances user and have restrictive permissions (e.g., 600) to prevent unauthorized modification.
  • If an immediate upgrade is not possible, consider placing the Glances process in a non‑privileged account or restricting its ability to read and write configuration files.

Generated by OpenCVE AI on April 7, 2026 at 19:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qhj7-v7h7-q4c7 Glances Vulnerable to Command Injection via Dynamic Configuration Values
History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Sat, 04 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.
Title Glances Vulnerable to Command Injection via Dynamic Configuration Values
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:22:08.154Z

Reserved: 2026-03-23T14:24:11.620Z

Link: CVE-2026-33641

cve-icon Vulnrichment

Updated: 2026-04-02T16:14:00.569Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:40.040

Modified: 2026-04-07T14:59:46.823

Link: CVE-2026-33641

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:41Z

Weaknesses