Description
Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets > (file redirection), | (pipe), and && (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process (AMP) modules load their command or service_cmd configuration values from glances.conf, those values are passed directly to secure_popen() with no sanitization. This allows an attacker who can modify the Glances configuration file to write arbitrary content to arbitrary filesystem paths (via >), chain arbitrary commands (via &&), or pipe command output to arbitrary programs (via |). This vulnerability is fixed in 4.5.5.
Published: 2026-06-25
Score: 7.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in glances/secure.py’s secure_popen() function, which interprets file redirection ( > ), piping ( | ), and command chaining ( && ) operators in arbitrary command strings without validating the target file path or the commands themselves. When Application Monitoring Process (AMP) modules load their command or service_cmd values from the configuration file, these values are passed directly to secure_popen() unchecked. This allows an attacker who can modify the Glances configuration to write arbitrary content to any filesystem path, chain arbitrary commands, or pipe command output to arbitrary programs. The immediate consequence is that a compromised configuration file yields unchecked file writes, a classic example of a path traversal, and full command execution with the privileges of the Glances process. Given the lack of integrity checks on glances.conf, the vulnerability is effective only when the attacker can edit configuration files, which may be possible for local users or processes with elevated privileges.

Affected Systems

The affected product is Glances, version 4.0.8 through 4.5.5 inclusive, produced by nicolargo. No other products or vendors are listed as affected. The vulnerability is fixed in Glances 4.5.5.

Risk and Exploitability

With a CVSS score of 7.8, the vulnerability is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector requires the adversary to write to glances.conf—either through local user privileges, a compromised process, or a vulnerability that gives filesystem write access. Once the configuration is altered, arbitrary filesystem writes and command executions can occur with the same privileges that Glances runs under, potentially enabling full system compromise. The absence of external exposure (no network-facing trigger) limits the attack vector to local or compromised contexts, but the impact remains severe once the configuration is corrupted.

Generated by OpenCVE AI on June 25, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.5 or later to eliminate the unvalidated secure_popen() behavior.
  • Restrict write permissions on glances.conf to prevent unauthorized modifications, ensuring only the installer or a trusted administrator can edit the file.
  • Audit existing AMP module configurations for unexpected command strings and remove any that are not essential, to reduce the attack surface should a configuration file still become compromised.

Generated by OpenCVE AI on June 25, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3vwc-qwhc-3mj7 Glances has arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration
History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Thu, 25 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. From 4.0.8 until 4.5.5, the secure_popen() function in glances/secure.py interprets > (file redirection), | (pipe), and && (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained command. When Application Monitoring Process (AMP) modules load their command or service_cmd configuration values from glances.conf, those values are passed directly to secure_popen() with no sanitization. This allows an attacker who can modify the Glances configuration file to write arbitrary content to arbitrary filesystem paths (via >), chain arbitrary commands (via &&), or pipe command output to arbitrary programs (via |). This vulnerability is fixed in 4.5.5.
Title Glances: Arbitrary file write and command execution via `secure_popen` redirection and chaining operators in AMP command configuration
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:25:13.508Z

Reserved: 2026-06-11T15:46:12.316Z

Link: CVE-2026-53925

cve-icon Vulnrichment

Updated: 2026-06-25T18:24:59.937Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:15:05Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')