EXECUTIVE SUMMARY:
A vulnerability tracked as CVE-2026-30928 has been identified in the Glances monitoring tool that exposes sensitive configuration secrets through an unauthenticated REST API endpoint. The issue occurs because the /api /4 /config endpoint returns the entire parsed glances.conf configuration file without filtering sensitive values. This configuration may contain credentials for backend services such as database passwords, API tokens, JWT signing keys, and SSL key passwords. The vulnerability originates from the as_dict() method which iterates through all configuration sections and options and exposes them directly in the API response. Additionally, authentication is not enforced when the Glances web server runs without a configured password, allowing remote users to access the endpoint. An attacker can retrieve sensitive configuration information by sending requests to the exposed API endpoint. The flaw affects Glances versions earlier than 4.5.1. Successful exploitation may lead to unauthorized disclosure of critical infrastructure credentials and secrets. The vulnerability is assigned a CVSS base score of 8.7 (High severity).[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A vulnerability tracked as CVE-2026-30928 has been identified in the Glances monitoring tool that exposes sensitive configuration secrets through an unauthenticated REST API endpoint. The issue occurs because the /api /4 /config endpoint returns the entire parsed glances.conf configuration file without filtering sensitive values. This configuration may contain credentials for backend services such as database passwords, API tokens, JWT signing keys, and SSL key passwords. The vulnerability originates from the as_dict() method which iterates through all configuration sections and options and exposes them directly in the API response. Additionally, authentication is not enforced when the Glances web server runs without a configured password, allowing remote users to access the endpoint. An attacker can retrieve sensitive configuration information by sending requests to the exposed API endpoint. The flaw affects Glances versions earlier than 4.5.1. Successful exploitation may lead to unauthorized disclosure of critical infrastructure credentials and secrets. The vulnerability is assigned a CVSS base score of 8.7 (High severity).[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update Glances to version 4.5.1.
REFERENCES:
The following reports contain further technical details:
[/emaillocker]