CVE-2026-32609

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2

Description Glances is a system cross-platform monitoring tool. The application exposes sensitive information through unauthenticated API endpoints. Specifically, the /api/v4/args and /api/v4/args/{item} endpoints return the complete command-line arguments namespace, including the password hash, SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without a password (the default configuration), these endpoints are accessible without authentication. The fix for a similar issue on the /api/v4/config endpoint was not applied to these endpoints. The self.args namespace contains sensitive fields set during initialization, such as password, snmp community, snmp user, snmp auth, conf file, and username. This exposure allows for unauthenticated network reconnaissance, offline password cracking (when authentication is enabled), lateral movement, and potential supply chain attacks.

Recommendations Versions prior to 4.5.2: Upgrade to version 4.5.2 or later to address the issue.