CVE-2026-32608: Nicolargo Glances RCE Vulnerability

CVE-2026-32608 Overview

CVE-2026-32608 is a command injection vulnerability in Glances, an open-source cross-platform system monitoring tool. The vulnerability exists in the action system that allows administrators to configure shell commands executed when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., {{name}}, {{key}}) that are populated with runtime monitoring data. Prior to version 4.5.2, the secure_popen() function's handling of pipe, redirect, and chain operators could be exploited by attackers who control process names, container names, or filesystem mount points to inject arbitrary commands.

Critical Impact
Attackers with local access who can control process names, container names, or mount points can inject arbitrary commands that execute with the privileges of the Glances monitoring service.

Affected Products

Nicolargo Glances versions prior to 4.5.2
Systems using Glances action configurations with Mustache template variables
Environments where untrusted users can create processes or containers with attacker-controlled names

Discovery Timeline

2026-03-18 - CVE CVE-2026-32608 published to NVD
2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-32608

Vulnerability Analysis

This command injection vulnerability (CWE-78) stems from improper handling of shell metacharacters within Mustache-rendered template values in the Glances action system. The action system enables administrators to execute custom shell commands when monitoring thresholds are exceeded, using template variables like {{name}}, {{mnt_point}}, or {{container}} that get populated at runtime.

The secure_popen() function attempts to provide a security layer by implementing its own pipe, redirect, and chain operator handling. It splits the command string before passing each segment to subprocess.Popen(shell=False). However, this splitting mechanism does not account for metacharacters that may exist within the Mustache-rendered values themselves.

Root Cause

The root cause is insufficient sanitization of user-controllable data before command execution. When a Mustache-rendered value such as a process name, filesystem mount point, or container name contains shell metacharacters (&&, |, >, >>), the secure_popen() function splits the rendered command in unintended ways. This allows the metacharacters to be interpreted as command operators rather than literal strings, enabling command injection.

Attack Vector

An attacker with local access who can create processes or containers with controlled names, or who can influence filesystem mount points, can embed shell metacharacters within these names. When the Glances action system triggers and renders these names into the action command template, the embedded metacharacters cause unintended command splitting and execution.

For example, an attacker could create a container named harmless|malicious_command which, when rendered into an action template, would cause malicious_command to be executed.

text

# Example of vulnerable configuration (before fix)
# From: docs/aoa/actions.rst

[fs]
warning=70
warning_action=echo "{{time}} {{mnt_point}} {{used}}/{{size}}" > /tmp/fs.alert

Source: GitHub Commit Update

The fix sanitizes Mustache-rendered values by replacing dangerous characters (&&, |, >, >>) with spaces before execution. The recommended secure configuration now uses external scripts:

text

# Secure configuration (after fix)
# From: docs/aoa/actions.rst

[fs]
warning=70
warning_action=python /path/to/fs-warning.py {{mnt_point}} {{used}} {{size}}

# Note: Shell operators (pipes, redirections, command chaining) cannot be 
# used directly in action command lines. If your action requires pipes, 
# redirections or chained commands, write a shell script and call it 
# from the action instead.

Source: GitHub Commit Update

Detection Methods for CVE-2026-32608

Indicators of Compromise

Unusual process names or container names containing shell metacharacters (|, &&, >, >>)
Unexpected child processes spawned by the Glances service
Log entries showing action executions with malformed or suspicious rendered commands
Filesystem mount points with unusual characters in their names

Detection Strategies

Monitor Glances process activity for unexpected child process creation
Audit process names and container names for shell metacharacters that could indicate injection attempts
Review Glances configuration files for action commands using potentially dangerous Mustache variables
Implement process lineage monitoring to detect command injection chains originating from Glances

Monitoring Recommendations

Enable detailed logging for Glances action executions
Set up alerts for processes spawned by Glances that don't match expected action patterns
Monitor for creation of containers or processes with names containing |, &&, >, or >> characters
Implement file integrity monitoring on Glances configuration files

How to Mitigate CVE-2026-32608

Immediate Actions Required

Upgrade Glances to version 4.5.2 or later immediately
Review all Glances action configurations for use of Mustache template variables
Migrate inline shell commands in actions to external scripts as recommended in the updated documentation
Restrict who can create processes or containers on systems running Glances

Patch Information

The vulnerability is fixed in Glances version 4.5.2. The fix sanitizes Mustache-rendered values by replacing the characters &&, |, >, and >> with spaces before command execution. This prevents command injection through user-controllable data such as process names, container names, or mount points.

Workarounds

If immediate upgrade is not possible, disable all action configurations that use Mustache template variables
Restrict container and process creation permissions on systems running Glances
Implement strict naming policies for containers that prohibit shell metacharacters
Run Glances with minimal privileges to limit the impact of potential command injection

bash

# Configuration example - Migrate to external scripts
# Create /etc/glances/actions.d/container-alert.sh:
#!/bin/bash
# Usage: container-alert.sh <Image> <Id> <cpu> <name>
# This script handles container alerts safely
echo "$1 $2 $3" > "/tmp/container_$4.alert"
# Add email notification or other actions here

# Update glances.conf to use the script:
# containername_cpu_critical_action=/etc/glances/actions.d/container-alert.sh {{Image}} {{Id}} {{cpu}} {{name}}

CVE-2026-32608 Overview

Critical Impact
Attackers with local access who can control process names, container names, or mount points can inject arbitrary commands that execute with the privileges of the Glances monitoring service.

Affected Products

Nicolargo Glances versions prior to 4.5.2
Systems using Glances action configurations with Mustache template variables
Environments where untrusted users can create processes or containers with attacker-controlled names

Discovery Timeline

2026-03-18 - CVE CVE-2026-32608 published to NVD
2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-32608

Vulnerability Analysis

Root Cause

Attack Vector

For example, an attacker could create a container named harmless|malicious_command which, when rendered into an action template, would cause malicious_command to be executed.

text

# Example of vulnerable configuration (before fix)
# From: docs/aoa/actions.rst

[fs]
warning=70
warning_action=echo "{{time}} {{mnt_point}} {{used}}/{{size}}" > /tmp/fs.alert

Source: GitHub Commit Update

The fix sanitizes Mustache-rendered values by replacing dangerous characters (&&, |, >, >>) with spaces before execution. The recommended secure configuration now uses external scripts:

text

# Secure configuration (after fix)
# From: docs/aoa/actions.rst

[fs]
warning=70
warning_action=python /path/to/fs-warning.py {{mnt_point}} {{used}} {{size}}

# Note: Shell operators (pipes, redirections, command chaining) cannot be 
# used directly in action command lines. If your action requires pipes, 
# redirections or chained commands, write a shell script and call it 
# from the action instead.

Source: GitHub Commit Update

Detection Methods for CVE-2026-32608

Indicators of Compromise

Unusual process names or container names containing shell metacharacters (|, &&, >, >>)
Unexpected child processes spawned by the Glances service
Log entries showing action executions with malformed or suspicious rendered commands
Filesystem mount points with unusual characters in their names

Detection Strategies

Monitor Glances process activity for unexpected child process creation
Audit process names and container names for shell metacharacters that could indicate injection attempts
Review Glances configuration files for action commands using potentially dangerous Mustache variables
Implement process lineage monitoring to detect command injection chains originating from Glances

Monitoring Recommendations

Enable detailed logging for Glances action executions
Set up alerts for processes spawned by Glances that don't match expected action patterns
Monitor for creation of containers or processes with names containing |, &&, >, or >> characters
Implement file integrity monitoring on Glances configuration files

How to Mitigate CVE-2026-32608

Immediate Actions Required

Upgrade Glances to version 4.5.2 or later immediately
Review all Glances action configurations for use of Mustache template variables
Migrate inline shell commands in actions to external scripts as recommended in the updated documentation
Restrict who can create processes or containers on systems running Glances

Patch Information

Workarounds

If immediate upgrade is not possible, disable all action configurations that use Mustache template variables
Restrict container and process creation permissions on systems running Glances
Implement strict naming policies for containers that prohibit shell metacharacters
Run Glances with minimal privileges to limit the impact of potential command injection

bash

# Configuration example - Migrate to external scripts
# Create /etc/glances/actions.d/container-alert.sh:
#!/bin/bash
# Usage: container-alert.sh <Image> <Id> <cpu> <name>
# This script handles container alerts safely
echo "$1 $2 $3" > "/tmp/container_$4.alert"
# Add email notification or other actions here

# Update glances.conf to use the script:
# containername_cpu_critical_action=/etc/glances/actions.d/container-alert.sh {{Image}} {{Id}} {{cpu}} {{name}}

CVE-2026-32608: Nicolargo Glances RCE Vulnerability

CVE-2026-32608 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32608

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32608

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32608

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-32608: Nicolargo Glances RCE Vulnerability

CVE-2026-32608 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32608

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32608

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32608

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform