Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32609

CVE-2026-32609: Glances Information Disclosure Flaw

CVE-2026-32609 is an information disclosure vulnerability in Nicolargo Glances that exposes sensitive data through unauthenticated API endpoints. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-32609 Overview

Glances is an open-source cross-platform system monitoring tool maintained by Nicolargo. CVE-2026-32609 is an information disclosure vulnerability [CWE-200] in the Glances REST API. The /api/v4/args and /api/v4/args/{item} endpoints return the complete command-line arguments namespace via vars(self.args). This exposes the password hash (salt plus pbkdf2_hmac), Simple Network Management Protocol (SNMP) community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are reachable without authentication. Version 4.5.2 provides a complete fix.

Critical Impact

Unauthenticated network attackers can retrieve password hashes, SNMP credentials, and configuration paths from any exposed Glances instance running a vulnerable release.

Affected Products

  • Nicolargo Glances versions prior to 4.5.2
  • Glances deployments exposing the /api/v4/args endpoint
  • Glances instances running without the --password flag

Discovery Timeline

  • 2026-03-18 - CVE-2026-32609 published to the National Vulnerability Database (NVD)
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32609

Vulnerability Analysis

The vulnerability resides in the Glances REST API version 4 (/api/v4). A prior fix tracked as GHSA-gh4x (commit 5d3de60) introduced an as_dict_secure() redaction helper for the /api/v4/config endpoints. That fix did not extend to the /api/v4/args and /api/v4/args/{item} endpoints.

These argument endpoints serialize the full argparse namespace using vars(self.args). The namespace contains every parsed runtime argument, including secret material loaded from the Glances configuration file. Attackers reach the endpoints over the network with no credentials, no user interaction, and minimal complexity.

Disclosed material includes the PBKDF2-HMAC password hash and salt, SNMP community strings, SNMP v3 authentication keys, and the absolute path to the configuration file. The password hash enables offline cracking. SNMP credentials grant access to monitored network devices. The configuration path aids follow-on local file inclusion or filesystem attacks when chained with other weaknesses.

Root Cause

The API handler returns the raw argparse namespace without applying the as_dict_secure() redaction used elsewhere in the codebase. Secrets that should be filtered remain in the serialized response.

Attack Vector

An unauthenticated attacker sends an HTTP GET request to /api/v4/args or /api/v4/args/{item} on a reachable Glances instance. The server responds with JSON containing the sensitive argument values. No authentication header, session token, or precondition is required when Glances starts without --password.

No verified public exploit code is published. See the GitHub Security Advisory GHSA-cvwp-r2g2-j824 for vendor technical detail.

Detection Methods for CVE-2026-32609

Indicators of Compromise

  • HTTP GET requests to /api/v4/args or /api/v4/args/{item} from external or unexpected source addresses
  • Outbound Glances API responses containing field names such as password, snmp_community, or snmp_auth_key
  • Unusual scanning patterns targeting the default Glances web server port 61208

Detection Strategies

  • Inspect web server and reverse proxy access logs for requests to /api/v4/args* URIs and alert on non-administrative source addresses.
  • Deploy network signatures that match Glances API response bodies containing argparse keys associated with credentials.
  • Compare deployed Glances binary or package versions against 4.5.2 across the fleet to identify vulnerable hosts.

Monitoring Recommendations

  • Forward Glances host access logs to a centralized log platform and build queries for the affected endpoint paths.
  • Monitor for new listening services on TCP 61208 on systems not designated as monitoring nodes.
  • Track outbound SNMP authentication failures that may indicate stolen community strings being tested against other infrastructure.

How to Mitigate CVE-2026-32609

Immediate Actions Required

  • Upgrade all Glances installations to version 4.5.2 or later, which extends as_dict_secure() redaction to the /api/v4/args endpoints.
  • Rotate any password hashes, SNMP community strings, and SNMP authentication keys configured in Glances on vulnerable hosts.
  • Restrict network exposure of the Glances web server to trusted management networks only.

Patch Information

The vendor released the fix in Glances v4.5.2. Review the corrective change in the upstream commit ff14eb9 and the coordinated disclosure in GHSA-cvwp-r2g2-j824.

Workarounds

  • Start Glances with the --password flag to require authentication for API endpoints until patching is complete.
  • Block external access to TCP port 61208 at the host firewall and at perimeter network controls.
  • Place Glances behind a reverse proxy that enforces authentication and denies requests to /api/v4/args and /api/v4/args/{item}.
bash
# Configuration example: restrict Glances API exposure with iptables and require a password
sudo iptables -A INPUT -p tcp --dport 61208 -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 61208 -j DROP
glances -w --password

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne