CVE-2026-32609
Unauthenticated Secrets Exposure in Glances API Args Endpoints
Publication date: 2026-03-18
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicolargo | glances | to 4.5.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32609 is a high-severity vulnerability in the Glances monitoring tool where sensitive configuration secrets are exposed through certain RESTful API endpoints.
Although a previous fix secured the `/api/v4/config` endpoints by redacting sensitive data, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were overlooked and still return the full command-line arguments namespace without redaction.
These endpoints expose highly sensitive information such as password hashes (including salt and PBKDF2-HMAC details), SNMP community strings, SNMP authentication keys, configuration file paths, and usernames.
When Glances runs without password authentication (the default), these endpoints are accessible without any authentication, allowing unauthenticated attackers to retrieve this sensitive data.
Even when password authentication is enabled, authenticated users can access the password hash, which remains vulnerable to offline brute-force attacks.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Unauthenticated attackers can perform network reconnaissance to obtain sensitive credentials and configuration details.
- Exposed password hashes enable offline brute-force attacks to recover passwords.
- Exposed SNMP credentials can allow attackers to move laterally within a network.
- Default CORS misconfiguration risks cross-origin secret theft.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the vulnerable API endpoints on the Glances monitoring tool without authentication and inspecting the returned data for sensitive information exposure.
- Use a command like: curl http://<glances_host>:61208/api/v4/args to retrieve the full command-line arguments namespace.
- Check if the response contains sensitive fields such as password hashes, SNMP community strings, SNMP authentication keys, configuration file paths, or usernames.
- If Glances is running without the --password option (default), these endpoints are accessible without authentication, making detection straightforward by direct API calls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should upgrade Glances to version 4.5.2 or later, which includes a complete fix that redacts sensitive information from the vulnerable API endpoints.
If upgrading is not immediately possible, enable password authentication by running Glances with the --password option to restrict unauthenticated access to the API endpoints.
Be aware that even with password authentication enabled, authenticated users can still access the password hash, so upgrading remains the best mitigation.
Additionally, consider restricting network access to the Glances API port to trusted hosts only, reducing exposure to unauthenticated attackers.