CVE-2026-32596

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25	Patch
https://github.com/nicolargo/glances/releases/tag/v4.5.2	Product Release Notes
https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-18 06:16

Updated : 2026-03-18 18:33

NVD link : CVE-2026-32596

Mitre link : CVE-2026-32596

CVE.ORG link : CVE-2026-32596

JSON object : View

Products Affected

nicolargo

glances

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-32596", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-18T06:16:18.800", "references": [{"url": "https://github.com/nicolargo/glances/commit/208d876118fea5758970f33fd7474908bd403d25", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-wvxv-4j8q-4wjq", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue."}, {"lang": "es", "value": "Glances es una herramienta de monitoreo de sistemas multiplataforma de c\u00f3digo abierto. Antes de la versi\u00f3n 4.5.2, el servidor web de Glances se ejecuta sin autenticaci\u00f3n por defecto cuando se inicia con 'glances -w', exponiendo la API REST con informaci\u00f3n sensible del sistema, incluyendo l\u00edneas de comando de procesos que contienen credenciales (contrase\u00f1as, claves de API, tokens) a cualquier cliente de red. La versi\u00f3n 4.5.2 soluciona el problema."}], "lastModified": "2026-03-18T18:33:12.503", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59", "versionEndExcluding": "4.5.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}