Glances is a widely used open-source, cross-platform system monitoring tool that provides real-time information about system resources. Prior to version 4.5.1, the /api/4/config REST API endpoint in Glances returns the entire parsed configuration file (glances.conf) via the self.config.as_dict() method without any filtering or redaction of sensitive data. The configuration file typically contains highly sensitive credentials, including database passwords, API tokens, JWT signing keys, and SSL key passwords. Because the API endpoint does not require authentication and is accessible over the network, an unauthenticated attacker can remotely retrieve these secrets simply by querying the endpoint. This exposure violates the principle of least privilege and confidentiality, potentially allowing attackers to escalate privileges, access backend services, or impersonate legitimate users. The vulnerability is tracked as CVE-2026-30928 with a CVSS 4.0 base score of 8.7 (high severity), reflecting its ease of exploitation (network attack vector, no authentication or user interaction required) and the critical impact on confidentiality. The issue was fixed in Glances version 4.5.1 by implementing proper filtering or redaction of sensitive configuration values before returning the configuration data via the API. No public exploits have been reported yet, but the vulnerability poses a significant risk to any deployment exposing the vulnerable API endpoint.

The exposure of sensitive credentials through the Glances API endpoint can have severe consequences for organizations worldwide. Attackers gaining access to database passwords and API tokens can infiltrate backend systems, exfiltrate data, or manipulate system operations. Exposure of JWT signing keys compromises authentication mechanisms, enabling attackers to forge tokens and impersonate legitimate users or services. SSL key password exposure can lead to compromise of encrypted communications. Since Glances is often deployed in monitoring and management contexts, attackers could leverage these credentials to pivot within networks, escalate privileges, or disrupt monitoring infrastructure. The vulnerability’s network accessibility and lack of authentication requirements increase the likelihood of exploitation, potentially leading to data breaches, service outages, and loss of trust. Organizations relying on Glances for system monitoring must consider the risk of credential leakage and subsequent attacks on their infrastructure.

To mitigate this vulnerability, organizations should immediately upgrade Glances to version 4.5.1 or later, where the issue is fixed. Until upgrading is possible, restrict network access to the /api/4/config endpoint by implementing firewall rules, network segmentation, or API gateway controls to allow only trusted hosts or administrators. Disable or restrict the API endpoint if it is not required. Implement strong network-level authentication and encryption (e.g., VPN, TLS) to protect API communications. Regularly audit and rotate credentials stored in Glances configuration files, especially if exposure is suspected. Monitor logs for unusual access patterns to the API endpoint. Additionally, review and harden the overall deployment environment of Glances to minimize attack surface, including limiting user permissions and applying the principle of least privilege to all services and accounts involved.