CVE-2026-32608
Received Received - Intake
Command Injection via Improper Shell Parsing in Glances Action System

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32608
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32608 is a command injection vulnerability in the Glances monitoring tool. Glances allows administrators to configure shell commands that run when certain monitoring thresholds are exceeded. These commands use Mustache templates populated with runtime data such as process names or container names. The vulnerability arises because the function executing these commands splits the command string on shell metacharacters like pipes (|), redirects (>), and command chaining (&&) without properly sanitizing the input. If an attacker controls a process or container name containing these metacharacters, they can inject arbitrary commands that get executed on the system.

The root cause is that the command execution function splits the command string incorrectly when these special characters appear in the rendered template values, allowing injection of additional commands. This can lead to arbitrary command execution with the privileges of the Glances process.


How can this vulnerability impact me? :

This vulnerability can allow an attacker who can create or control process or container names on the monitored system to execute arbitrary commands with the privileges of the Glances process, which is often root.

  • Arbitrary command execution on the system.
  • Potential privilege escalation if Glances runs with elevated privileges.
  • Arbitrary file writes via output redirection in injected commands.

The attack requires that an administrator has configured action commands referencing user-controllable fields and that the attacker can create processes or containers on the system.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves monitoring for suspicious or unexpected command executions triggered by Glances actions that include user-controllable fields such as process names or container names containing shell metacharacters.'}, {'type': 'paragraph', 'content': 'Since the vulnerability arises when Glances executes configured shell commands with Mustache-rendered values containing shell operators (e.g., |, &&, >), you can look for unusual command executions or logs indicating command injection attempts.'}, {'type': 'paragraph', 'content': 'Specific commands to detect exploitation attempts might include searching for processes or containers with suspicious names containing shell metacharacters, for example:'}, {'type': 'list_item', 'content': "List processes with suspicious names: ps aux | grep -E '[|&>]'"}, {'type': 'list_item', 'content': "List Docker containers with suspicious names: docker ps --format '{{.Names}}' | grep -E '[|&>]'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring Glances action logs or system logs for unexpected command executions or errors related to command splitting may help detect exploitation.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, upgrade Glances to version 4.5.2 or later, where the issue is fixed by sanitizing Mustache-rendered values to remove or replace shell metacharacters.

If upgrading is not immediately possible, apply the following mitigations:

  • Avoid using shell operators such as pipes (|), redirections (> or >>), and command chaining (&&) directly in Glances action command lines.
  • Instead, move complex shell commands into separate shell scripts and invoke those scripts from Glances actions.
  • Sanitize or validate any user-controllable fields (process names, container names, mount points) used in action commands to ensure they do not contain shell metacharacters.

These steps prevent command injection by ensuring that malicious input cannot break the command string into unintended segments.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart