Main Vulnerability Database Vulnerabilities #VU126703

Improper access control in glances - CVE-2026-30928

Published: April 21, 2026

Vulnerability identifier: #VU126703

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-30928

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Nicolas Hennion

Affected software:
glances

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the /api/4/config REST API endpoint when handling requests to retrieve configuration data. A remote attacker can send a request to the endpoint to disclose sensitive information.

The endpoint returns the parsed configuration file without filtering or redacting secrets, exposing credentials such as database passwords, API tokens, JWT signing keys, and SSL key passwords.

How to mitigate CVE-2026-30928

Install security update from vendor's website.

Sources

https://github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6

Improper access control in glances - CVE-2026-30928

Detailed vulnerability description

How to mitigate CVE-2026-30928

Sources

Please verify you're human