cbcvebase.
CVE-2026-32596
published 2026-03-18

CVE-2026-32596: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with…

PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
1.55%
72.0th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianglances< glances 4.5.2+dfsg-1 (forky)glances 4.5.2+dfsg-1 (forky)
glances_projectglances>= 0 < 4.5.2+dfsg-14.5.2+dfsg-1
glances_projectglances>= 0 < 4.5.24.5.2
nicolargoglances< 4.5.24.5.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/4/system
url/api/4/processlist
  • Unauthenticated HTTP GET to /api/4/system returning JSON with fields 'os_name', 'os_version', 'hostname' indicates a vulnerable Glances instance exposed without authentication.
  • Unauthenticated HTTP GET to /api/4/processlist returning JSON with fields 'cmdline', 'cpu_times', 'memory_info' confirms exploitation path — process command-lines may contain credentials, API keys, or tokens.
  • Glances web server is started with 'glances -w'; scan for this process invocation on hosts to identify exposed instances.
  • Both API endpoints must return HTTP 200 with Content-Type 'application/json' for the vulnerability to be confirmed exploitable — chain both checks in detection logic.
  • ·The vulnerability only exists when Glances is started in web server mode; instances not launched with '-w' are not affected.
  • ·The vulnerable API is version 4 (/api/4/); earlier API versions may use different paths and should be assessed separately.
  • ·No authentication or special privileges are required to exploit this vulnerability — any network-reachable client can query the API.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.