CVE-2026-30928

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.1

Description Glances is a cross-platform system monitoring tool. The '/api/4/config' REST API endpoint returns the entire Glances configuration file (glances.conf) without filtering sensitive values. This configuration file contains credentials for backend services, including database passwords, API tokens, JWT signing keys, and SSL key passwords. The vulnerability stems from the as dict() method in config.py, which iterates through all configuration sections and keys without applying any redaction. The API endpoint lacks authentication when started without a password. Exploitation involves retrieving the configuration file via a simple HTTP request, allowing attackers to extract sensitive information and potentially compromise the entire infrastructure.

Recommendations Glances versions prior to 4.5.1 should be updated to version 4.5.1 or later.