CVE-2026-32609
published 2026-03-18CVE-2026-32609: Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on…
PriorityP352high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.50%
38.9th percentile
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-32609: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
GHSA
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
ghsa·2026-03-16
CVE-2026-32609 [HIGH] CWE-200 Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
## Summary
The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication.
## Details
The secrets exposure fix (GHSA-gh4x, commit 5d3de60) modifi
OSV
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
osv·2026-03-16
CVE-2026-32609 [HIGH] Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
## Summary
The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication.
## Details
The secrets exposure fix (GHSA-gh4x, commit 5d3de60) modifi
Debian
CVE-2026-32609: glances - Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x f...
vendor_debian·2026·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609: glances - Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x f...
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Scope: local
bookworm: open
forky: resolved (fixed in 4.5.2+dfsg-1)
sid: resolved
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32609 glances: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [epel-all]
bugzilla·2026-03-18·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609 glances: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [epel-all]
CVE-2026-32609 glances: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
If you are preparing for government exams this year, you can check all the latest updates and notifications on Sarkari Results 2026. It's a very helpful resource for students.Sarkari Results 2026
---
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32609 python-glances-api: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [fedora-42]
bugzilla·2026-03-18·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609 python-glances-api: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [fedora-42]
CVE-2026-32609 python-glances-api: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because
Bugzilla
CVE-2026-32609 glances: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [fedora-42]
bugzilla·2026-03-18·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609 glances: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [fedora-42]
CVE-2026-32609 glances: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan t
Wiz
CVE-2026-32609 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32609 [HIGH] CVE-2026-32609 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32609 :
Python vulnerability analysis and mitigation
/api/v4/config
as_dict_secure()
/api/v4/args
/api/v4/args/{item}
vars(self.args)
--password
Source : NVD
## 7.5
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
glances
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity HIGH No Fix Added at: Mar 20, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severi
2026-03-18
Published