CVE-2026-30928

Name
CVE-2026-30928
Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
security-advisories@github.com https://github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da
security-advisories@github.com https://github.com/nicolargo/glances/releases/tag/v4.5.1
security-advisories@github.com https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:* glances >= None < 4.5.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
glances edge-community 4.5.0.5-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
glances edge-community 4.5.0.4-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
glances edge-community 4.4.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
glances edge-community 4.3.3-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
glances edge-community 4.3.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
glances edge-community 3.4.0.5-r1 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
glances 3.23-community 4.4.1-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable