CVE-2026-33641 Overview
CVE-2026-33641 is a command injection vulnerability (CWE-78) affecting Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.3, Glances supports dynamic configuration values where substrings enclosed in backticks are executed as system commands during configuration parsing. This dangerous behavior occurs in Config.get_value() and is implemented without any validation or restriction of the executed commands.
If an attacker can modify or influence configuration files, arbitrary commands will execute automatically with the privileges of the Glances process during startup or configuration reload. In deployments where Glances runs with elevated privileges (e.g., as a system service), this may lead to privilege escalation.
Critical Impact
Attackers with write access to Glances configuration files can achieve arbitrary command execution with the privileges of the Glances process, potentially leading to full system compromise in elevated-privilege deployments.
Affected Products
- Glances versions prior to 4.5.3
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-33641 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-33641
Vulnerability Analysis
This vulnerability stems from unsafe handling of configuration file values in Glances. The application's Config.get_value() function processes configuration strings and interprets any text enclosed in backticks as shell commands to be executed. This dynamic configuration feature was implemented without proper input validation or command allowlisting.
When Glances parses its configuration file during startup or reload, any backtick-enclosed strings are passed directly to the system shell for execution. The command output is then substituted into the configuration value. This creates a direct path from configuration file modification to arbitrary code execution.
The vulnerability requires local access to modify configuration files, but the impact is significant because Glances is commonly deployed as a system service running with elevated privileges to access system metrics and hardware information.
Root Cause
The root cause is the implementation of a shell command substitution feature within the Config.get_value() function that processes backtick-enclosed substrings as system commands. This design pattern—interpreting configuration values as executable code—introduces a classic command injection vulnerability (CWE-78) when configuration files can be modified by less-privileged users or through other attack vectors.
Attack Vector
The attack requires local access to modify Glances configuration files. An attacker with write access to the configuration file can inject malicious commands enclosed in backticks. These commands execute when Glances starts or reloads its configuration. For example, a configuration value containing `id > /tmp/pwned` would execute the id command and write its output to a file.
The attack is particularly dangerous in scenarios where:
- Glances runs as a system service with root privileges
- Configuration files are writable by non-root users due to misconfigured permissions
- Glances is deployed in containerized environments where configuration is mounted from external sources
The security patch updates dependencies including anyio from version 4.12.1 to 4.13.0 and attrs from version 25.4.0 to 26.1.0 as part of the broader security fix:
# via fastapi
annotated-types==0.7.0
# via pydantic
-anyio==4.12.1
+anyio==4.13.0
# via
# elasticsearch
# httpx
# mcp
# sse-starlette
# starlette
-attrs==25.4.0
+attrs==26.1.0
# via
# jsonschema
# referencing
Source: GitHub Commit Update
Detection Methods for CVE-2026-33641
Indicators of Compromise
- Configuration files containing backtick characters (`) with embedded shell commands
- Unexpected child processes spawned by the Glances process during startup or configuration reload
- Modifications to Glances configuration files (glances.conf) by unauthorized users or processes
- Suspicious command execution patterns correlating with Glances service restarts
Detection Strategies
- Monitor file integrity of Glances configuration files for unauthorized modifications
- Audit process trees for unexpected command execution originating from Glances parent processes
- Implement file access logging on /etc/glances/ and user-level ~/.config/glances/ directories
- Use SentinelOne behavioral AI to detect anomalous process spawning patterns from monitoring tools
Monitoring Recommendations
- Enable auditd or equivalent filesystem auditing on Glances configuration directories
- Configure alerts for any modification to glances.conf files outside of maintenance windows
- Monitor for shell command execution patterns that correlate with Glances service events
- Track privilege escalation attempts following Glances process activity
How to Mitigate CVE-2026-33641
Immediate Actions Required
- Upgrade Glances to version 4.5.3 or later immediately
- Audit all Glances configuration files for malicious backtick-enclosed commands
- Restrict write permissions on Glances configuration files to root or administrative users only
- Review logs for evidence of configuration file tampering or suspicious command execution
Patch Information
The vulnerability has been patched in Glances version 4.5.3. The fix removes or restricts the dynamic command execution feature in configuration parsing. Users should upgrade immediately by updating their Glances installation.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-qhj7-v7h7-q4c7 and the GitHub Release v4.5.3.
Workarounds
- Set strict file permissions (chmod 600) on all Glances configuration files
- Run Glances with minimal required privileges using a dedicated service account
- Audit configuration files and remove any backtick characters before each service start
- Consider running Glances in a sandboxed environment or container with restricted capabilities
# Secure Glances configuration files
chmod 600 /etc/glances/glances.conf
chown root:root /etc/glances/glances.conf
# For user-level configurations
chmod 600 ~/.config/glances/glances.conf
# Check for suspicious backtick content in configuration
grep -r '`' /etc/glances/ ~/.config/glances/ 2>/dev/null
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
