CVE-2026-32609 Overview
Glances is an open-source cross-platform system monitoring tool that exposes a REST API for remote system monitoring. CVE-2026-32609 is an information disclosure vulnerability affecting the /api/v4/args and /api/v4/args/{item} endpoints. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes sensitive information such as password hashes (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and configuration file paths. When Glances runs without the --password flag (the default configuration), these endpoints are accessible without any authentication, allowing unauthenticated attackers to retrieve sensitive configuration secrets.
Critical Impact
Unauthenticated attackers can access sensitive credentials including password hashes, SNMP community strings, and authentication keys via exposed API endpoints, potentially leading to further system compromise.
Affected Products
- Nicolargo Glances versions prior to 4.5.2
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32609 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32609
Vulnerability Analysis
This vulnerability represents an incomplete fix for a previous security issue (GHSA-gh4x). The earlier fix introduced the as_dict_secure() redaction method to address unauthenticated configuration secrets exposure on the /api/v4/config endpoints. However, the security patch failed to address two additional API endpoints: /api/v4/args and /api/v4/args/{item}.
These overlooked endpoints directly return the complete command-line arguments namespace by calling vars(self.args) without any sanitization or redaction. This exposes highly sensitive information including password hashes constructed from salt and pbkdf2_hmac, SNMP community strings used for network device authentication, SNMP authentication keys, and the full path to the configuration file.
The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), as it allows unauthorized disclosure of sensitive system configuration data.
Root Cause
The root cause is incomplete security remediation during the GHSA-gh4x fix. While the developers correctly identified and addressed the information disclosure issue in the /api/v4/config endpoints, they did not perform a comprehensive audit of all API endpoints that might expose similar sensitive data. The /api/v4/args endpoints were left unprotected, returning raw argument data without any filtering or authentication requirements.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction when Glances is running in its default configuration (without the --password flag). An attacker can simply send HTTP GET requests to the vulnerable API endpoints to retrieve sensitive configuration data.
The attack flow involves:
- Identifying a Glances instance accessible over the network
- Sending a GET request to /api/v4/args or /api/v4/args/{item}
- Receiving the complete command-line arguments including sensitive credentials
- Using obtained credentials for lateral movement or further exploitation
# Security patch in glances/outputs/glances_restful_api.py
# Source: https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f
return GlancesJSONResponse(ret_item)
# Args keys that must always be redacted (even for authenticated users)
_ALWAYS_REDACTED_ARGS = frozenset({'password'})
# Args keys redacted when no authentication is configured
_SENSITIVE_ARGS = frozenset(
{
'password',
'snmp_community',
'snmp_user',
'snmp_auth',
'conf_file',
'username',
}
)
def _sanitize_args(self):
"""Return a sanitized copy of self.args as a dict.
- password hash is always redacted (even for authenticated users)
- other sensitive fields are redacted when no authentication is configured
"""
args_json = vars(self.args).copy()
if not self.args.password:
for key in self._SENSITIVE_ARGS:
if key in args_json:
args_json[key] = '********'
else:
Source: GitHub Commit Changes
Detection Methods for CVE-2026-32609
Indicators of Compromise
- Unusual HTTP GET requests to /api/v4/args or /api/v4/args/{item} endpoints from external or unauthorized sources
- Multiple sequential requests to Glances API endpoints from a single IP address indicating enumeration activity
- Access logs showing requests to /api/v4/args endpoints without corresponding authentication events
Detection Strategies
- Monitor web server and application logs for requests to /api/v4/args and /api/v4/args/{item} endpoints
- Implement network-based intrusion detection rules to alert on unauthenticated access to Glances API endpoints
- Deploy web application firewall (WAF) rules to detect and block reconnaissance attempts against Glances instances
- Use SentinelOne Singularity to monitor for suspicious network connections to systems running Glances
Monitoring Recommendations
- Enable verbose logging for Glances API access and forward logs to a centralized SIEM
- Create alerts for access to sensitive API endpoints from untrusted network ranges
- Regularly audit Glances instances to ensure they are running with authentication enabled
How to Mitigate CVE-2026-32609
Immediate Actions Required
- Upgrade Glances to version 4.5.2 or later immediately
- Enable authentication by running Glances with the --password flag until patching is complete
- Restrict network access to Glances API endpoints using firewall rules or network segmentation
- Rotate any credentials that may have been exposed, including SNMP community strings and authentication keys
Patch Information
The vulnerability has been addressed in Glances version 4.5.2. The fix introduces the _sanitize_args() method that redacts sensitive arguments before returning them via the API. Password hashes are always redacted, while other sensitive fields (SNMP credentials, configuration file paths, usernames) are redacted when no authentication is configured.
For detailed patch information, see the GitHub Security Advisory GHSA-cvwp-r2g2-j824 and the GitHub Release v4.5.2.
Workarounds
- Run Glances with the --password flag to enable authentication and require credentials for API access
- Implement network-level access controls to restrict access to Glances API endpoints to trusted networks only
- Place Glances instances behind a reverse proxy with authentication requirements
- Disable the REST API entirely if remote monitoring is not required by omitting the -w or --webserver flag
# Configuration example: Enable authentication when starting Glances
glances -w --password
# Alternative: Restrict network access via firewall (iptables example)
iptables -A INPUT -p tcp --dport 61208 -s trusted_network/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 61208 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
