CVE-2026-32596
published 2026-03-18CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with…
PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.55%
72.0th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Unauthenticated HTTP GET to /api/4/system returning JSON with fields 'os_name', 'os_version', 'hostname' indicates a vulnerable Glances instance exposed without authentication. ↗
- →Unauthenticated HTTP GET to /api/4/processlist returning JSON with fields 'cmdline', 'cpu_times', 'memory_info' confirms exploitation path — process command-lines may contain credentials, API keys, or tokens. ↗
- →Glances web server is started with 'glances -w'; scan for this process invocation on hosts to identify exposed instances. ↗
- →Both API endpoints must return HTTP 200 with Content-Type 'application/json' for the vulnerability to be confirmed exploitable — chain both checks in detection logic. ↗
- ·The vulnerability only exists when Glances is started in web server mode; instances not launched with '-w' are not affected. ↗
- ·The vulnerable API is version 4 (/api/4/); earlier API versions may use different paths and should be assessed separately. ↗
- ·No authentication or special privileges are required to exploit this vulnerability — any network-reachable client can query the API. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 8.7
CVE-2026-32596 [HIGH] CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
OSV
Glances exposes the REST API without authentication
osv·2026-03-16
CVE-2026-32596 [HIGH] Glances exposes the REST API without authentication
Glances exposes the REST API without authentication
### Summary
Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client.
### Details
Root Cause: Authentication is optional and disabled by default. When no password is provided, the API router initializes without authentication dependency, and the server binds to 0.0.0.0 exposing all endpoints.
Affected Code:
- File: `glances/outputs/glances_restful_api.py`, lines 259-272
```python
if self.args.password:
self._password = GlancesPassword(username=args.username, config=config)
if JWT_AVAILABLE:
jwt_secret = config.get_value('outputs', 'jwt_secret_key
GHSA
Glances exposes the REST API without authentication
ghsa·2026-03-16
CVE-2026-32596 [HIGH] CWE-200 Glances exposes the REST API without authentication
Glances exposes the REST API without authentication
### Summary
Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client.
### Details
Root Cause: Authentication is optional and disabled by default. When no password is provided, the API router initializes without authentication dependency, and the server binds to 0.0.0.0 exposing all endpoints.
Affected Code:
- File: `glances/outputs/glances_restful_api.py`, lines 259-272
```python
if self.args.password:
self._password = GlancesPassword(username=args.username, config=config)
if JWT_AVAILABLE:
jwt_secret = config.get_value('outputs', 'jwt_secret_key
Debian
CVE-2026-32596: glances - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2,...
vendor_debian·2026·CVSS 8.7
CVE-2026-32596 [HIGH] CVE-2026-32596: glances - Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2,...
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.
Scope: local
bookworm: open
forky: resolved (fixed in 4.5.2+dfsg-1)
sid: resolved (fixed in 4.5.2+dfsg-1)
trixie: open
No detection rules found.
Nuclei
Glances - Information Disclosure
nuclei·CVSS 8.7
CVE-2026-32596 [HIGH] Glances - Information Disclosure
Glances - Information Disclosure
Glances < 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges.
Template:
id: CVE-2026-32596
info:
name: Glances - Information Disclosure
author: theamanrawat
severity: high
description: |
Glances < 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges.
impact: |
Remote attackers can access sensitive system information including credentials, risking data exposure and system c
Wiz
CVE-2026-32596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32596 [HIGH] CVE-2026-32596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32596 :
Python vulnerability analysis and mitigation
glances -w
Source : NVD
## 8.7
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 88.7
Exploitation Probability (EPSS) 4.2
Affected packages and libraries
glances
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 19, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 202
Bugzilla
CVE-2026-32596 glances: unauthenticated API exposure [epel-all]
bugzilla·2026-03-18·CVSS 7.5
CVE-2026-32596 [HIGH] CVE-2026-32596 glances: unauthenticated API exposure [epel-all]
CVE-2026-32596 glances: unauthenticated API exposure [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32596 glances: unauthenticated API exposure [fedora-all]
bugzilla·2026-03-18·CVSS 7.5
CVE-2026-32596 [HIGH] CVE-2026-32596 glances: unauthenticated API exposure [fedora-all]
CVE-2026-32596 glances: unauthenticated API exposure [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
2026-03-18
Published