Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing as_dict_secure() redaction. However, the /api/v4/args and /api/v4/args/{item} endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
GlancesPyPI | < 4.5.2 | 4.5.2 |
Affected products
3- ghsa-coords2 versions
< 4.5.2+ 1 more
- (no CPE)range: < 4.5.2
- (no CPE)range: < 4.5.2-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-cvwp-r2g2-j824ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32609ghsaADVISORY
- github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44fghsax_refsource_MISCWEB
- github.com/nicolargo/glances/releases/tag/v4.5.2ghsax_refsource_MISCWEB
- github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.