CVE-2026-30928: Glances Exposes Unauthenticated Configuration Secrets
(updated )
The /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords.
References
- github.com/advisories/GHSA-gh4x-f7cq-wwx6
- github.com/nicolargo/glances
- github.com/nicolargo/glances/commit/306a7136154ba5c1531489c99f8306d84eae37da
- github.com/nicolargo/glances/releases/tag/v4.5.1
- github.com/nicolargo/glances/security/advisories/GHSA-gh4x-f7cq-wwx6
- nvd.nist.gov/vuln/detail/CVE-2026-30928
Code Behaviors & Features
Detect and mitigate CVE-2026-30928 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →