Fluid Attacks Database

Description

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., {{name}}, {{key}}) that are populated with runtime monitoring data. The secure_popen() function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to subprocess.Popen(shell=False). Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	glances	=3.3.1.1+dfsg-1 \|\| =3.4.0.3+dfsg-1 \|\| =4.0.5+dfsg-1 \|\| =4.1.2.1+dfsg-1 \|\| =4.2.1+dfsg-1 \|\| =4.3.0.8+dfsg-1 \|\| =4.3.1+dfsg-1 \|\| =4.3.3+dfsg-1 \|\| =4.5.1+dfsg-1 \|\| =4.5.2+dfsg-1 \|\| =4.5.3.2+dfsg-1 \|\| =4.5.4+dfsg-1	-
debian 13	glances	=4.3.1+dfsg-1 \|\| =4.3.3+dfsg-1 \|\| =4.5.1+dfsg-1 \|\| =4.5.2+dfsg-1 \|\| =4.5.3.2+dfsg-1 \|\| =4.5.4+dfsg-1	-
pypi	glances	>=0 <4.5.2	4.5.2
debian 14	glances	=4.3.1+dfsg-1 \|\| =4.3.3+dfsg-1 \|\| =4.5.1+dfsg-1 \|\| >=0 <4.5.2+dfsg-1	4.5.2+dfsg-1

Aliases

1. CVE-2026-326082. NVD-2026-326083. OSV-DEBIAN-2026-326084. OSV-2026-326085. GHSA-vcv2-q258-wrg76. GCVE-2026-326087. SECURITY-TRACKER-CVE-2026-32608

References

1. https://github.com/nicolargo/glances/security/advisories/GHSA-vcv2-q258-wrg72. https://github.com/nicolargo/glances/commit/6f4ec53d967478e69917078e6f73f448001bf1073. https://github.com/nicolargo/glances/releases/tag/v4.5.2