Glances is a cross-platform system monitoring tool widely used for real-time system metrics and diagnostics. In versions prior to 4.5.2, a vulnerability identified as CVE-2026-32609 allows unauthenticated remote attackers to retrieve sensitive configuration information via the /api/v4/args and /api/v4/args/{item} REST API endpoints. These endpoints return the full command-line arguments namespace by exposing vars(self.args), which includes critical secrets such as the password hash (comprising salt and pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. The issue arises because when Glances is run without the --password option (which is the default), these endpoints do not require authentication, thus exposing sensitive data to any network user. This vulnerability is a form of CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Previously, a fix was applied to the /api/v4/config endpoint to redact secrets via as_dict_secure(), but the /api/v4/args endpoints were not similarly protected until version 4.5.2. The CVSS v3.1 score of 7.5 reflects that the vulnerability is remotely exploitable without authentication or user interaction and results in a high confidentiality impact, though it does not affect integrity or availability. No public exploits have been reported so far, but the sensitive nature of the exposed data makes this a significant risk. The vulnerability affects all Glances installations running versions earlier than 4.5.2, especially those deployed in network-accessible environments without password protection enabled.

The primary impact of CVE-2026-32609 is the unauthorized disclosure of sensitive configuration secrets, including password hashes and SNMP credentials. This exposure can enable attackers to perform further attacks such as credential cracking, unauthorized SNMP access, or lateral movement within the network. Since the vulnerability requires no authentication and no user interaction, any attacker with network access to the Glances API endpoints can exploit it. Organizations relying on Glances for system monitoring in production or sensitive environments risk leaking critical secrets that could compromise system security and privacy. The exposure of password hashes and SNMP keys may lead to privilege escalation or unauthorized monitoring and control of network devices. Although the vulnerability does not directly impact system integrity or availability, the confidentiality breach can have cascading effects on overall security posture. The risk is heightened in environments where Glances is exposed to untrusted networks or the internet without proper access controls. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability's characteristics make it a likely target for attackers once widely known.

To mitigate CVE-2026-32609, organizations should immediately upgrade all Glances installations to version 4.5.2 or later, where the vulnerability is fully addressed by securing the /api/v4/args endpoints and redacting sensitive information. Until upgrades can be performed, administrators should enable the --password option to enforce authentication on the API endpoints, preventing unauthenticated access. Additionally, network-level controls such as firewall rules or VPNs should be used to restrict access to Glances API endpoints to trusted users only. Monitoring and logging access to these endpoints can help detect any unauthorized attempts. It is also advisable to rotate any exposed credentials, such as SNMP community strings and password hashes, if there is suspicion of compromise. Reviewing and minimizing the exposure of monitoring tools like Glances on public or untrusted networks reduces attack surface. Finally, organizations should audit their use of Glances and ensure that sensitive configuration data is not unnecessarily exposed through APIs or logs.