Description

Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.

INFO

Published Date :

2026-03-18T14:30:37.786Z

Last Modified :

2026-03-18T14:46:18.186Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32609 vulnerability.

Vendors Products
Nicolargo
  • Glances
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32609.

URL Resource
https://github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f cve-icon cve-icon
https://github.com/nicolargo/glances/releases/tag/v4.5.2 cve-icon cve-icon
https://github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact