Register | Log in

glances

Curses-based monitoring tool

Choose email to subscribe with

general

source: glances (main)
version: 4.5.2+dfsg-1
maintainer: Daniel Echeverri (DMD)
uploaders: Sebastien Badia [DMD]
arch: all
std-ver: 4.7.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 3.3.1.1+dfsg-1
stable: 4.3.1+dfsg-1
testing: 4.5.2+dfsg-1
unstable: 4.5.2+dfsg-1

versioned links

3.3.1.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.3.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.5.2+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

glances (5 bugs: 0, 4, 1, 0)
glances-doc (1 bugs: 0, 1, 0, 0)

action needed

9 security issues in trixie high

There are 9 open security issues in trixie.

9 important issues:

CVE-2026-30928: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, the /api/4/config REST API endpoint returns the entire parsed Glances configuration file (glances.conf) via self.config.as_dict() with no filtering of sensitive values. The configuration file contains credentials for all configured backend services including database passwords, API tokens, JWT signing keys, and SSL key passwords. This vulnerability is fixed in 4.5.1.
CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
CVE-2026-32608: Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
CVE-2026-32609: Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
CVE-2026-32610: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
CVE-2026-32611: Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

Created: 2026-03-11 Last update: 2026-03-21 07:00

8 security issues in bookworm high

There are 8 open security issues in bookworm.

8 important issues:

CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
CVE-2026-32608: Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.
CVE-2026-32609: Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
CVE-2026-32610: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
CVE-2026-32611: Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.
CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

Created: 2026-03-18 Last update: 2026-03-21 07:00

1 new commit since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit 4dbceb65522ab9dc2eb7e414057624ae84ec37aa
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Mon Mar 23 15:23:47 2026 +0100

    recommends python3-pysnmp instead of transitional python3-pysnmp4

Created: 2026-03-23 Last update: 2026-03-23 15:31

news

[2026-03-21] glances 4.5.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-03-19] Accepted glances 4.5.2+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2026-03-16] glances 4.5.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2026-03-13] Accepted glances 4.5.1+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2025-09-03] glances 4.3.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-09-01] Accepted glances 4.3.3+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2025-04-02] glances 4.3.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-03-29] Accepted glances 4.3.1+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2025-03-09] glances 4.3.0.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-03-05] glances REMOVED from testing (Debian testing watch)
[2025-01-11] glances 4.3.0.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2025-01-08] Accepted glances 4.3.0.8+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2024-12-22] glances 4.2.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-12-20] Accepted glances 4.2.1+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2024-11-30] glances 4.1.2.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-10-12] Accepted glances 4.1.2.1+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2024-05-22] glances 4.0.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2024-05-20] Accepted glances 4.0.5+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2023-07-12] glances 3.4.0.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-07-12] glances 3.4.0.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-07-09] Accepted glances 3.4.0.3+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2023-01-25] glances 3.3.1.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-01-23] Accepted glances 3.3.1.1+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2022-10-26] glances 3.3.0.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-10-23] Accepted glances 3.3.0.1+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2022-10-17] glances 3.2.5+dfsg-1.1 MIGRATED to testing (Debian testing watch)
[2022-10-15] Accepted glances 3.2.5+dfsg-1.1 (source) into unstable (Michael Biebl)
[2022-04-19] glances 3.2.5+dfsg-1 MIGRATED to testing (Debian testing watch)
[2022-04-17] Accepted glances 3.2.5+dfsg-1 (source) into unstable (Daniel Echeverri) (signed by: Daniel Echeverry)
[2022-01-18] Accepted glances 3.2.4.2+dfsg-1~bpo11+1 (source all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Boyuan Yang)

1
2

bugs [bug history graph]

all: 6
RC: 0
I&N: 5
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.3.3+dfsg-1
12 bugs (1 patch)

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing