Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Published: 2026-03-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch Immediately
AI Analysis

Impact

Glances is a cross‑platform monitoring tool whose API endpoints expose internal configuration information. The /api/v4/args and /api/v4/args/{item} endpoints return a full command‑line argument namespace via vars(self.args). This namespace contains sensitive secrets such as password hashes (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the path to the configuration file. The vulnerability is a direct information disclosure (CWE‑200) that allows an attacker to obtain confidential credential material without authentication.

Affected Systems

The issue affects all Glances releases prior to v4.5.2. The affected vendor product is nicolargo:glances and the affected versions are those lacking the patch that introduces the as_dict_secure redaction for all API endpoints. The vendor released a more complete fix in Glances 4.5.2, which removes the exposed credential data from the API responses.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate‑to‑high severity impact. The EPSS score is below 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KeV catalog. Attackers can exploit the flaw by sending unauthenticated requests to the /api/v4/args endpoints and capturing the returned JSON payload, thereby retrieving the secrets. The lack of authentication on default installations creates a straightforward attack pathway.

Generated by OpenCVE AI on March 19, 2026 at 16:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Glances to version 4.5.2 or later, which removes secret leakage from all API endpoints.

Generated by OpenCVE AI on March 19, 2026 at 16:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cvwp-r2g2-j824 Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
History

Thu, 19 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Title Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T14:46:18.186Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32609

cve-icon Vulnrichment

Updated: 2026-03-18T14:46:14.230Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T15:16:30.780

Modified: 2026-03-19T14:55:31.660

Link: CVE-2026-32609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:44Z

Weaknesses