Can you explain this vulnerability to me?

CVE-2026-32596 is a security vulnerability in the Glances monitoring tool where its web server runs without authentication by default when started with the command `glances -w`. This means that the REST API is exposed to any network client without requiring a password or token.

Because of this, sensitive system information is accessible, including detailed process command-lines that may contain credentials such as passwords, API keys, or tokens. The server binds to all network interfaces (0.0.0.0) by default, making it accessible from any client on the network.

This default insecure setup is intended for ease of use on private, trusted networks but poses a significant risk if exposed to untrusted networks. The vulnerability was fixed in Glances version 4.5.2 by introducing a startup warning when the REST API is enabled without authentication, although the unauthenticated mode remains the default for private networks.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows any network client to access the full REST API of Glances without authentication, exposing sensitive system information.

• Attackers can retrieve detailed system data including process lists with full command lines, which may contain credentials like passwords, API keys, tokens, or secrets.
• Exposed endpoints include system information, process lists, network connections, filesystems, and Docker container details.

With this information, attackers can perform system reconnaissance, harvest credentials, and potentially carry out lateral movement or targeted attacks within the network.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the Glances web server is running without authentication and is accessible on the network. Specifically, if Glances is started with the command `glances -w` without a password, it runs an unauthenticated REST API server bound to all network interfaces (0.0.0.0) by default.

You can detect the presence of this vulnerable service by scanning your network for open port 61208 (the default Glances API port) and attempting to access the REST API endpoints.

Example commands to detect the vulnerability include:

• Use nmap to scan for open port 61208 on your hosts: `nmap -p 61208 <target-ip>`
• Use curl or a web browser to query the API endpoint without authentication: `curl http://<target-ip>:61208/api/4/all`
• Look for a startup warning message in Glances logs or stdout indicating the REST API is running without authentication.

If the API responds with system information or process lists including command lines, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should:

• Upgrade Glances to version 4.5.2 or later, which includes fixes and startup warnings related to this issue.
• Enable authentication by starting Glances with the `--password` option, for example: `glances -w --password`.
• Restrict network exposure by binding the Glances web server to localhost only if remote access is not needed: `glances -w --bind 127.0.0.1`.
• For public or semi-public deployments, use a reverse proxy (such as nginx, Caddy, or Apache) with TLS and authentication to securely forward requests to Glances.

These steps reduce the risk of unauthorized access to sensitive system information exposed by the Glances REST API.

Useful 0 Not Useful 0