Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
Published: 2026-03-18
Score: 8.7 High
EPSS: 4.6% Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

Glances is an open‑source cross‑platform monitoring tool. When the web server is started with the option glances -w, the REST API is enabled but, prior to version 4.5.2, it runs without any authentication. This configuration allows any network client that can reach the service to retrieve sensitive system data, including process command‑lines that may contain credentials such as passwords, API keys or tokens. The vulnerability is a classic Information Exposure (CWE‑200) that can lead to confidentiality loss.

Affected Systems

The affected product is nicolargo:glances. All releases prior to 4.5.2 are vulnerable; the CPE entry cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:* indicates that the issue applies to all platform, version, edition and architecture variants.

Risk and Exploitability

The CVSS score of 8.7 classifies this as a high severity vulnerability. The EPSS score is less than 1 %, suggesting a low probability of current exploitation in the wild, and it is not listed in the CISA KEV catalog. Because the Web API is reachable over the network, an attacker who can communicate with the Glances web server could export sensitive host information, potentially aiding credential theft or lateral movement. The likely attack vector is network‑based and does not require authentication.

Generated by OpenCVE AI on March 18, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Glances version 4.5.2 or later to include authentication for the REST API

Generated by OpenCVE AI on March 18, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wvxv-4j8q-4wjq Glances exposes the REST API without authentication
History

Wed, 18 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
Title Glances exposes the REST API without authentication
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T15:45:18.808Z

Reserved: 2026-03-12T14:54:24.269Z

Link: CVE-2026-32596

cve-icon Vulnrichment

Updated: 2026-03-18T15:45:09.736Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T06:16:18.800

Modified: 2026-03-18T18:33:12.503

Link: CVE-2026-32596

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:59:17Z

Weaknesses