CVE-2026-32609
Published: 18 March 2026
Summary
CVE-2026-32609 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Nicolargo Glances. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by remediating the flaw through upgrade to Glances 4.5.2, which implements secure redaction on the /api/v4/args endpoints.
Prohibits unauthenticated access to sensitive endpoints like /api/v4/args that expose password hashes, SNMP credentials, and configuration paths.
Enforces secure configuration settings such as the --password option to require authentication and prevent default unauthenticated exposure of sensitive arguments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in exposed Glances web API directly enables unauthenticated exploitation of a public-facing application (T1190) and retrieval of unsecured credentials including password hashes and SNMP secrets (T1552).
NVD Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints…
more
return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Deeper analysisAI
CVE-2026-32609 is a vulnerability in Glances, an open-source cross-platform system monitoring tool, stemming from incomplete remediation of a prior issue. A previous fix (GHSA-gh4x, commit 5d3de60) addressed unauthenticated exposure of configuration secrets on the `/api/v4/config` endpoints by implementing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints remained unprotected, as they expose the full command-line arguments namespace via `vars(self.args)`. This includes sensitive data such as password hashes (salt + PBKDF2-HMAC), SNMP community strings, SNMP authentication keys, and the configuration file path. The vulnerability affects Glances versions prior to 4.5.2 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), mapped to CWE-200 (Exposure of Sensitive Information).
Any unauthenticated attacker with network access to a Glances instance can exploit this by directly querying the vulnerable endpoints. By default, Glances runs without the `--password` option, leaving these endpoints accessible without authentication. Successful exploitation allows retrieval of the password hash, SNMP credentials, and configuration file path, enabling potential further attacks such as credential cracking, SNMP enumeration, or targeted reconnaissance via the exposed config file.
The Glances security advisory (GHSA-cvwp-r2g2-j824) and release notes for version 4.5.2 detail the fix via commit ff14eb9780ee10ec018c754754b1c8c7bfb6c44f, which applies secure redaction to the `/api/v4/args` endpoints. Security practitioners should upgrade to Glances 4.5.2 or later and consider enabling authentication with `--password` on exposed instances to mitigate risk.
Details
- CWE(s)