Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials
Description
Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing as_dict_secure() redaction. However, the /api/v4/args and /api/v4/args/{item} endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
GlancesPyPI | < 4.5.2 | 4.5.2 |
Affected products
1Patches
1ff14eb9780eeMerge branch 'GHSA-cvwp-r2g2-j824' into develop
1 file changed · +34 −8
glances/outputs/glances_restful_api.py+34 −8 modified@@ -1267,6 +1267,38 @@ def _api_config_section_item(self, section: str, item: str): return GlancesJSONResponse(ret_item) + # Args keys that must always be redacted (even for authenticated users) + _ALWAYS_REDACTED_ARGS = frozenset({'password'}) + + # Args keys redacted when no authentication is configured + _SENSITIVE_ARGS = frozenset( + { + 'password', + 'snmp_community', + 'snmp_user', + 'snmp_auth', + 'conf_file', + 'username', + } + ) + + def _sanitize_args(self): + """Return a sanitized copy of self.args as a dict. + + - password hash is always redacted (even for authenticated users) + - other sensitive fields are redacted when no authentication is configured + """ + args_json = vars(self.args).copy() + if not self.args.password: + for key in self._SENSITIVE_ARGS: + if key in args_json: + args_json[key] = '********' + else: + for key in self._ALWAYS_REDACTED_ARGS: + if key in args_json and args_json[key]: + args_json[key] = '********' + return args_json + def _api_args(self): """Glances API RESTful implementation. @@ -1275,10 +1307,7 @@ def _api_args(self): HTTP/404 if others error """ try: - # Get the RAW value of the args' dict - # Use vars to convert namespace to dict - # Source: https://docs.python.org/%s/library/functions.html#vars - args_json = vars(self.args) + args_json = self._sanitize_args() except Exception as e: raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args ({str(e)})") @@ -1296,10 +1325,7 @@ def _api_args_item(self, item: str): raise HTTPException(status.HTTP_400_BAD_REQUEST, f"Unknown argument item {item}") try: - # Get the RAW value of the args' dict - # Use vars to convert namespace to dict - # Source: https://docs.python.org/%s/library/functions.html#vars - args_json = vars(self.args)[item] + args_json = self._sanitize_args()[item] except Exception as e: raise HTTPException(status.HTTP_404_NOT_FOUND, f"Cannot get args item ({str(e)})")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cvwp-r2g2-j824ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32609ghsaADVISORY
- github.com/nicolargo/glances/commit/ff14eb9780ee10ec018c754754b1c8c7bfb6c44fghsax_refsource_MISCWEB
- github.com/nicolargo/glances/releases/tag/v4.5.2ghsax_refsource_MISCWEB
- github.com/nicolargo/glances/security/advisories/GHSA-cvwp-r2g2-j824ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.