CVE-2026-32609
Undergoing Analysis Undergoing Analysis - In Progress
Unauthenticated Secrets Exposure in Glances API Args Endpoints

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32609
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32609 is a high-severity vulnerability in the Glances monitoring tool where sensitive configuration secrets are exposed through certain RESTful API endpoints.

Although a previous fix secured the `/api/v4/config` endpoints by redacting sensitive data, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were overlooked and still return the full command-line arguments namespace without redaction.

These endpoints expose highly sensitive information such as password hashes (including salt and PBKDF2-HMAC details), SNMP community strings, SNMP authentication keys, configuration file paths, and usernames.

When Glances runs without password authentication (the default), these endpoints are accessible without any authentication, allowing unauthenticated attackers to retrieve this sensitive data.

Even when password authentication is enabled, authenticated users can access the password hash, which remains vulnerable to offline brute-force attacks.

Impact Analysis

This vulnerability can have several serious impacts:

  • Unauthenticated attackers can perform network reconnaissance to obtain sensitive credentials and configuration details.
  • Exposed password hashes enable offline brute-force attacks to recover passwords.
  • Exposed SNMP credentials can allow attackers to move laterally within a network.
  • Default CORS misconfiguration risks cross-origin secret theft.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable API endpoints on the Glances monitoring tool without authentication and inspecting the returned data for sensitive information exposure.

  • Use a command like: curl http://<glances_host>:61208/api/v4/args to retrieve the full command-line arguments namespace.
  • Check if the response contains sensitive fields such as password hashes, SNMP community strings, SNMP authentication keys, configuration file paths, or usernames.
  • If Glances is running without the --password option (default), these endpoints are accessible without authentication, making detection straightforward by direct API calls.
Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade Glances to version 4.5.2 or later, which includes a complete fix that redacts sensitive information from the vulnerable API endpoints.

If upgrading is not immediately possible, enable password authentication by running Glances with the --password option to restrict unauthenticated access to the API endpoints.

Be aware that even with password authentication enabled, authenticated users can still access the password hash, so upgrading remains the best mitigation.

Additionally, consider restricting network access to the Glances API port to trusted hosts only, reducing exposure to unauthenticated attackers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32609. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart