CVE-2026-30928 HIGH

CVE-2026-30928: Glances Exposes Unauthenticated Configuration Secrets

Vendor Nicolargo

Product glances

Weakness CWE-200 · Info exposure

Published March 10, 2026

Last update March 10, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.

Key dates

02Disclosure timeline

March 10, 2026 CVE published

March 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-30928 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/200.html

Related vulnerabilities

CVE-2026-30928: Glances Exposes Unauthenticated Configuration Secrets

01Description

02Disclosure timeline

03References

04Related CVE