CVE-2026-30928
Information Disclosure in Glances API Exposes Sensitive Credentials
Publication date: 2026-03-10
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicolargo | glances | to 4.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30928 is a high-severity vulnerability in the Glances monitoring tool versions prior to 4.5.1. The vulnerability occurs because the /api/4/config REST API endpoint returns the entire parsed Glances configuration file without filtering or redacting sensitive information.
This configuration file contains sensitive credentials such as database passwords, API tokens, JWT signing keys, and SSL key passwords. The root cause is that the method used to produce the API response returns all configuration data as a flat dictionary without excluding or masking sensitive keys.
Additionally, if Glances is started without a password, authentication is bypassed, allowing any network-reachable attacker to access this sensitive configuration data via the API.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it exposes all sensitive configuration secrets to unauthenticated users.
An attacker can retrieve credentials for backend databases such as InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, and Cassandra, as well as API tokens and JWT secret keys.
With these credentials, an attacker can gain unauthorized direct access to all connected data stores and potentially compromise the entire infrastructure monitored by Glances.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Glances monitoring tool version is 4.5.0 or earlier and by attempting to access the vulnerable API endpoint that exposes sensitive configuration data.
Specifically, an unauthenticated request to the REST API endpoint /api/4/config on the Glances server (default port 61208) can reveal the entire configuration file including sensitive credentials.
A simple command to test this from a network-reachable host is to use curl or wget to fetch the configuration data:
- curl http://target:61208/api/4/config
- wget -qO- http://target:61208/api/4/config
If the response contains sensitive information such as database passwords, API tokens, JWT signing keys, or SSL key passwords, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Glances to version 4.5.1 or later, where this vulnerability is fixed.
The fix includes filtering and redacting sensitive configuration data from the API responses when accessed without authentication.
Additionally, ensure that the Glances webserver is started with a password to enforce authentication, preventing unauthenticated access to sensitive endpoints.
If upgrading immediately is not possible, restrict network access to the Glances API port (default 61208) to trusted hosts only, and avoid running Glances without a password.