CVE-2026-33641
Published: 02 April 2026
Summary
CVE-2026-33641 is a high-severity OS Command Injection (CWE-78) vulnerability in Nicolargo Glances. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely patching of Glances to version 4.0.5.3, eliminating the command injection flaw.
Requires validation of configuration file inputs during parsing to prevent execution of arbitrary commands embedded in backticks.
Restricts access to Glances configuration files, preventing low-privilege attackers from injecting malicious dynamic values.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via backticks in config parsing directly enables arbitrary Unix shell command execution (T1059.004) upon process start/reload; when Glances runs with elevated privileges (e.g., as service), this facilitates local privilege escalation (T1068).
NVD Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without…
more
validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation. This issue has been patched in version 4.5.3.
Deeper analysisAI
CVE-2026-33641 is an OS command injection vulnerability (CWE-78) in Glances, an open-source cross-platform system monitoring tool. In versions prior to 4.5.3, the Config.get_value() function processes dynamic configuration values by executing substrings enclosed in backticks as system commands without any validation or restrictions during configuration parsing.
A local attacker with low privileges (PR:L) who can modify or influence Glances configuration files can exploit this issue to execute arbitrary commands automatically with the privileges of the Glances process upon startup or configuration reload. If Glances is deployed with elevated privileges, such as running as a system service, successful exploitation enables privilege escalation, potentially granting high confidentiality, integrity, and availability impacts (C:H/I:H/A:H). The CVSS v3.1 base score is 7.8 (AV:L/AC:L/PR:L/UI:N/S:U).
The vulnerability has been patched in Glances version 4.5.3. Security practitioners should upgrade to this version for mitigation. Official resources include the GitHub security advisory at GHSA-qhj7-v7h7-q4c7, the patching commit 358d76a225fc21a9f95d2c4d7e46fafe64a644c6, and the release notes for v4.5.3.
Details
- CWE(s)