CVE-2026-30928

NameCVE-2026-30928
DescriptionGlances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
glances (PTS)bookworm3.3.1.1+dfsg-1fixed
trixie4.3.1+dfsg-1vulnerable
forky, sid4.3.3+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
glancessourcebookworm(not affected)
glancessource(unstable)(unfixed)

Notes

[bookworm] - glances <not-affected> (Vulnerable code introduced later)
https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6
Fixed by: https://github.com/nicolargo/glances/commit/5d3de603e63f21b0fd6aa2b9da0301f757c33e39 (v4.5.1)
Search for package or bug name: Reporting problems