CVE-2026-30928
Published: 10 March 2026
Summary
CVE-2026-30928 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Nicolargo Glances. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 26.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-15 (Information Output Filtering).
Deeper analysis
Glances is an open-source cross-platform system monitoring tool affected by an information disclosure vulnerability tracked as CVE-2026-30928. Prior to version 4.5.1, the /api/4/config REST API endpoint returns the full contents of the parsed glances.conf configuration file through an unfiltered call to self.config.as_dict(). This exposes all configured credentials, including database passwords, API tokens, JWT signing keys, and SSL key passwords, and is classified under CWE-200 with a CVSS 4.0 score of 8.7.
An unauthenticated remote attacker with network access to the API endpoint can retrieve the entire configuration and obtain credentials for backend services. The attack requires no user interaction or privileges, allowing direct extraction of sensitive values that could be used to compromise connected databases, APIs, or other infrastructure monitored by Glances.
The vulnerability is addressed in the 4.5.1 release, as noted in the GitHub security advisory GHSA-gh4x-f7cq-wwx6, the corresponding commit 306a7136154ba5c1531489c99f8306d84eae37da, and the v4.5.1 release tag. The EPSS score reached a peak of 0.0845 with a current value of 0.0667.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10539
Vulnerability details
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured…
more
backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to the public /api/4/config endpoint exposes credentials from the on-disk glances.conf file, directly enabling T1190 (exploit of public-facing app) to achieve T1552.001 (credentials in files).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires filtering of sensitive information prior to output, directly preventing exposure of unfiltered configuration credentials via the /api/4/config endpoint.
Limits permitted actions without identification or authentication, blocking unauthenticated remote access to sensitive configuration data.
Mandates timely flaw remediation, such as patching Glances to 4.5.1, to eliminate the vulnerability exposing the configuration file.