Glances 4.5.2 Command Injection Vulnerability
Glances 4.5.2 - Command Injection Vulnerability π¨
A high-severity command injection vulnerability has been identified in Glances versions prior to 4.5.3. These versions support dynamic configuration values in which substrings enclosed in backticks are executed as system commands during configuration parsing. This behavior occurs in Config.get_value() and is implemented without validation or restriction of the executed commands. If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation.
The vulnerability is tracked as CVE-2026-33641 and has a CVSS Score of 7.8 (HIGH) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The affected components are glances/config.py and glances/globals.py. The vulnerable Config.get_value() method scans for substrings enclosed in backticks and executes them via system_exec(), which uses subprocess.run() with shell=False, but the backticks are extracted and executed. Credit for this discovery is given to Stepanov Daniil.
A Proof of Concept (PoC) for CVE-2026-33641 demonstrates arbitrary command execution via Glances configuration, with exploit author Stepanov Daniil. The PoC involves creating a malicious config with a command such as: touch /tmp/glances_pwned. Launching Glances with such a malicious config causes the command to execute during config parsing. Manual verification can confirm the vulnerability by creating a file /tmp/malicious.conf with [outputs] url_prefix = \\touch /tmp/glances_pwned\``. Running glances -C /tmp/malicious.conf will then cause the command to execute. Checking if /tmp/glances_pwned exists confirms the command injection, demonstrating that the vulnerability exists in this version of Glances.
The impact of this vulnerability includes arbitrary command execution with the privileges of the Glances process. Since Glances often runs with elevated privileges (root/sudo), this can lead to complete system compromise. To address this, users must upgrade to Glances version 4.5.3 or higher. The dynamic backtick execution feature was completely removed in the updated version.
For more details, you can read the full article here: Read full article