2448562 – (CVE-2026-32608) CVE-2026-32608 glances: command injection via process names in action command templates

Bug 2448562 (CVE-2026-32608) - CVE-2026-32608 glances: command injection via process names in action command templates

Summary: CVE-2026-32608 glances: command injection via process names in action command...

Keywords:
Status:	NEW
Alias:	CVE-2026-32608
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2448670 2448671
Blocks:
TreeView+	depends on / blocked

Reported:	2026-03-18 07:05 UTC by OSIDB Bzimport
Modified:	2026-03-23 16:59 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-03-18 07:05:45 UTC

Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.

Note You need to log in before you can comment on or make changes to this bug.