CVE-2026-32596 Overview
CVE-2026-32596 is a high-severity information disclosure vulnerability in Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.2, when Glances is started in web server mode using glances -w, it runs without authentication by default and binds to all network interfaces (0.0.0.0). This configuration exposes the REST API to any network client, allowing unauthorized access to sensitive system information including process command-lines that may contain credentials such as passwords, API keys, and tokens.
Critical Impact
Unauthenticated network access to sensitive system information including process command-lines containing credentials, API keys, and tokens passed as arguments.
Affected Products
- nicolargo glances versions prior to 4.5.2
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32596 published to NVD
- 2026-03-18 - Last updated in NVD database
Technical Details for CVE-2026-32596
Vulnerability Analysis
This vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue stems from insecure default configuration choices in the Glances web server component. When administrators launch Glances with the -w flag to enable web-based monitoring, the application binds to all network interfaces without requiring any form of authentication.
The REST API exposed by Glances provides comprehensive system monitoring data, including detailed process information. Process command-lines frequently contain sensitive data such as database connection strings with embedded passwords, API tokens passed as command-line arguments, and other credentials used by applications and services running on the monitored system.
An attacker with network access to a vulnerable Glances instance can simply query the API endpoints to retrieve this sensitive information without any authentication challenge. This is particularly dangerous in environments where Glances servers are inadvertently exposed to untrusted networks or the internet.
Root Cause
The root cause is an insecure default configuration where the Glances web server operates without authentication and binds to all network interfaces (0.0.0.0). While this default was intentional for ease of use on private, trusted networks such as home labs and internal infrastructure, it creates significant security exposure when instances are reachable from untrusted networks.
Attack Vector
The attack vector is network-based with low complexity. An attacker requires no privileges or user interaction to exploit this vulnerability. The attack involves:
- Network reconnaissance to identify exposed Glances web server instances (default port 61208)
- Direct HTTP requests to the REST API endpoints
- Extraction of sensitive system information including process command-lines containing credentials
# Security patch in glances/outputs/glances_restful_api.py
# Source: https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25
# Logo
print(self._logo())
+ # Security warning if no authentication is configured
+ if not self.args.password:
+ is_localhost = self.args.bind_address in ('127.0.0.1', 'localhost', '::1')
+ warn_lines = [
+ "WARNING: Glances web server is running WITHOUT authentication.",
+ ]
+ if is_localhost:
+ warn_lines.append(" Use --password to enable authentication.")
+ else:
+ warn_lines.append(" Any client on the network can access system information.")
+ warn_lines.append(" Use --password to enable authentication or")
+ warn_lines.append(" --bind 127.0.0.1 to restrict access to localhost.")
+ warn_lines.append(" See https://glances.readthedocs.io/en/latest/api/restful.html#security")
+ print('\n'.join(warn_lines) + '\n')
+ logger.warning("Glances web server is running without authentication")
# Browser WEBUI
if hasattr(self.args, 'browser') and self.args.browser:
# Template for the root browser.html file
Source: GitHub Commit 208d876
Detection Methods for CVE-2026-32596
Indicators of Compromise
- Unexpected HTTP requests to Glances REST API endpoints (typically port 61208)
- Multiple requests to /api/4/processlist or similar endpoints containing process information
- Network connections from external or unauthorized IP addresses to Glances server ports
- Log entries indicating unauthenticated API access from non-local addresses
Detection Strategies
- Monitor network traffic for connections to port 61208 from external or untrusted sources
- Implement network-level detection rules for HTTP requests to Glances API endpoints
- Audit running Glances instances to identify those started without the --password flag
- Use network scanning tools to identify exposed Glances instances within your environment
Monitoring Recommendations
- Deploy network intrusion detection signatures for Glances API enumeration patterns
- Implement log aggregation for Glances server access logs and correlate with threat intelligence
- Establish baseline monitoring for expected Glances client connections and alert on anomalies
- Conduct periodic vulnerability scans to identify exposed monitoring infrastructure
How to Mitigate CVE-2026-32596
Immediate Actions Required
- Upgrade all Glances installations to version 4.5.2 or later immediately
- Enable authentication on existing Glances web servers using the --password option
- Bind Glances to localhost (--bind 127.0.0.1) if remote access is not required
- Implement network segmentation to restrict access to Glances servers from trusted networks only
- Review process command-lines on monitored systems to identify exposed credentials
Patch Information
Version 4.5.2 addresses this vulnerability by adding prominent security warnings when Glances web server is started without authentication. The fix includes runtime warnings displayed to administrators and enhanced security documentation. Apply the patch by upgrading to Glances 4.5.2 or later via pip: pip install --upgrade glances.
For detailed patch information, see the GitHub Security Advisory GHSA-wvxv-4j8q-4wjq and GitHub Release v4.5.2.
Workarounds
- Enable authentication by starting Glances with glances -w --password
- Bind to localhost only using glances -w --bind 127.0.0.1 if remote access is not needed
- Place Glances behind a reverse proxy with authentication enabled
- Implement firewall rules to restrict access to Glances port 61208 from trusted IP addresses only
# Configuration example - Enable authentication and bind to localhost
glances -w --password --bind 127.0.0.1
# Alternative: Enable authentication only (for trusted internal networks)
glances -w --password
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
