CVE-2026-32609: Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
(updated )
The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing as_dict_secure() redaction. However, the /api/v4/args and /api/v4/args/{item} endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are accessible without any authentication.
References
- github.com/advisories/GHSA-cvwp-r2g2-j824
- github.com/nicolargo/glances
- github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44f
- github.com/nicolargo/glances/releases/tag/v4.5.2
- github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824
- nvd.nist.gov/vuln/detail/CVE-2026-32609
Code Behaviors & Features
Detect and mitigate CVE-2026-32609 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →