CVE-2026-32596

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2

Description Glances, a system cross-platform monitoring tool, has an issue where the web server runs without authentication by default when started with glances -w. This exposes a REST API containing sensitive system information, including process command-lines that may contain credentials like passwords, API keys, and tokens, to any network client. The API endpoints, such as /api/4/system and /api/4/all, allow access to system information, process lists, network connections, filesystems, and Docker containers. The vulnerable code resides in files like glances/outputs/glances restful api.py and glances/plugins/processlist/ init .py. The cmdline parameter within the process list API (/api/4/processlist) exposes full command-line arguments without sanitization. This can lead to complete system reconnaissance and credential harvesting, potentially enabling lateral movement and targeted attacks.

Recommendations Versions prior to 4.5.2 should be updated to version 4.5.2 or later.