CVE-2026-46607 is a high-severity insecure deserialization vulnerability in glances (pip), affecting versions < 4.5.5. It is fixed in 4.5.5.
Summary glances/outdated.py uses pickle.load() to read a version-check cache file stored at a predictable, world-accessible path (~/.cache/glances/glances-version.db or $XDGCACHEHOME/glances/glances-version.db). No integrity check, signature verification, or format validation is performed before deserialization. An attacker with write access to that path, through any of several realistic local or container-level scenarios, can plant a malicious pickle file and achieve arbitrary code execution as the OS user running Glances the next time it starts with version checking enabled (the default). Details Affected file: glances/outdated.py, method Outdated.loadcache(), line 121 Direct URL (commit 04579778e733d705898a169e049dc84772c852da): https://github.com/nicolargo/glances/blob/04579778e733d705898a169e049dc84772c852da/glances/outdated.py#L121 self.cachefile is constructed from the XDG cache directory path at Outdated.init(): On a default Linux installation this resolves to /home/john/.cache/glances/glances-version.db (or /root/.cache/glances/… when Glances runs as root). Python's pickle module is an execution-capable serialisation format: any class that implements reduce can embed an arbitrary callable and argument tuple that Python will invoke unconditionally at pickle.load() time. There is no safe subset of pickle; the only safe mitigation is to not use it for untrusted data. The code was verified on x8664 Linux, Python 3.13, Glances 4.5.5dev1 (commit 04579778e733d705898a169e049dc84772c852da). A malicious pickle crafted with os.system() via reduce executed the injected shell command successfully before the surrounding Python code raised a TypeError. PoC Special configuration required No non-default Glances configuration is needed. Version checking is enabled by default (checkupdate = true). The only pre condition is that the attacker can write to the Glances user's XDG cache directory, see the attack scenarios below for how this arises in practice. Attack scenario A, local privilege escalation (shared multi-user host) Prerequisites: Glances runs periodically (e.g. via systemd or cron) as a privileged user (root or a dedicated monitoring account). The attacker is an unprivileged local user who has write access to the Glances user's ~/.cache/glances/ directory (e.g. the directory or an ancestor is group- or world-writable, or was created with overly permissive umask). Step 1, Identify the cache path Step 2, Craft and plant a malicious pickle Step 3, Wait for Glances to start (or restart it) Glances calls loadcache() automatically at startup when checkupdate = true (the compiled-in default). No special configuration is required by the attacker. Step 4, Verify execution Attack scenario B, container / shared-volume poisoning A compromised container that shares a Docker/Podman volume with the Glances container can write to the cache path on the shared volume. The next time Glances restarts (e.g. after a rolling update), the payload executes inside the Glances container with its privileges. Attack scenario C, symlink race (TOCTOU) Before the Glances cache directory is created for the first time (e.g. on a fresh installation), an attacker with write access to ~/.cache/ can create a symlink: When Glances writes its legitimate cache file it writes instead to /tmp/attackercontrolled/glances-version.db, which the attacker can replace with the malicious pickle before the next start. Minimal self-contained reproduction Impact Vulnerability type: Insecure Deserialization (CWE-502) Who is impacted: Any system where Glances is run with version checking enabled (the default) in a shared environment where a less-privileged process can write to the Glances user's XDG cache directory, or in any containerised deployment using shared volumes. Impact: Confidentiality: Full, the attacker gains code execution in the context of the Glances process and can read any data accessible to that user. Integrity: Full, arbitrary commands can modify files, install persistence mechanisms, or alter system state. Availability: Full, the Glances process and, if running as root, the system can be disrupted. On many deployments Glances is run as root (required to access hardware performance counters without specific capabilities), meaning successful exploitation yields full root code execution without any further privilege escalation step. Suggested Fix Replace pickle with json for the version cache. The data stored is a simple Python dictionary containing two string values and a datetime object; a JSON representation is straightforward: If pickle is retained for any reason, the cache file must be protected with an HMAC keyed from a Glances-managed secret (e.g. a random key stored in the Glances config directory, which should itself be mode 0600). As an additional hardening measure, restrict the permissions of the Glances cache directory to 0700 at creation time. Responsible Disclosure The AFINE Team is committed to responsible / coordinated disclosure. The AFINE Team will not publish details of this vulnerability or release exploit code publicly until a fix has been released, or 90 days have elapsed from the date of this report, whichever comes first. Credits This issue was identified by Michał Majchrowicz and Marcin Wyczechowski, members of the AFINE Team.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2026-46607 has a CVSS score of 7.8 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (4.5.5). Upgrading removes the vulnerable code path.
pip
glances (< 4.5.5)glances → 4.5.5 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-46607 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-46607 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-46607 in your environment →Upgrade glances to 4.5.5 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-46607 is a high-severity insecure deserialization vulnerability in glances (pip), affecting versions < 4.5.5. It is fixed in 4.5.5. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
CVE-2026-46607 has a CVSS score of 7.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
glances (pip) versions < 4.5.5 is affected.
Yes. CVE-2026-46607 is fixed in 4.5.5. Upgrade to this version or later.
Whether CVE-2026-46607 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade glances to 4.5.5 or later.