CVE-2026-30928
Received Received - Intake
Information Disclosure in Glances API Exposes Sensitive Credentials

Publication date: 2026-03-10

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30928
EUVD
EUVD-2026-10539
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30928 is a high-severity vulnerability in the Glances monitoring tool versions prior to 4.5.1. The vulnerability occurs because the /api/4/config REST API endpoint returns the entire parsed Glances configuration file without filtering or redacting sensitive information.

This configuration file contains sensitive credentials such as database passwords, API tokens, JWT signing keys, and SSL key passwords. The root cause is that the method used to produce the API response returns all configuration data as a flat dictionary without excluding or masking sensitive keys.

Additionally, if Glances is started without a password, authentication is bypassed, allowing any network-reachable attacker to access this sensitive configuration data via the API.

Impact Analysis

This vulnerability can have severe impacts because it exposes all sensitive configuration secrets to unauthenticated users.

An attacker can retrieve credentials for backend databases such as InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, and Cassandra, as well as API tokens and JWT secret keys.

With these credentials, an attacker can gain unauthorized direct access to all connected data stores and potentially compromise the entire infrastructure monitored by Glances.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the Glances monitoring tool version is 4.5.0 or earlier and by attempting to access the vulnerable API endpoint that exposes sensitive configuration data.

Specifically, an unauthenticated request to the REST API endpoint /api/4/config on the Glances server (default port 61208) can reveal the entire configuration file including sensitive credentials.

A simple command to test this from a network-reachable host is to use curl or wget to fetch the configuration data:

  • curl http://target:61208/api/4/config
  • wget -qO- http://target:61208/api/4/config

If the response contains sensitive information such as database passwords, API tokens, JWT signing keys, or SSL key passwords, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade Glances to version 4.5.1 or later, where this vulnerability is fixed.

The fix includes filtering and redacting sensitive configuration data from the API responses when accessed without authentication.

Additionally, ensure that the Glances webserver is started with a password to enforce authentication, preventing unauthenticated access to sensitive endpoints.

If upgrading immediately is not possible, restrict network access to the Glances API port (default 61208) to trusted hosts only, and avoid running Glances without a password.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30928. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart