PYSEC-2026-2168

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/glances/PYSEC-2026-2168.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2168
Aliases
Published
2026-03-18T15:16:30.780Z
Modified
2026-07-13T07:15:31.496002225Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing as_dict_secure() redaction. However, the /api/v4/args and /api/v4/args/{item} endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via vars(self.args), which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without --password (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.

References

Affected packages

PyPI / glances

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.5.2

Affected versions

1.*
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.4
1.4.1
1.4.1.1
1.4.2
1.4.2.1
1.5
1.5.1
1.5.2
1.6
1.6.1
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
2.*
2.0
2.0.1
2.1
2.1.1
2.1.2
2.2
2.2.1
2.3
2.4
2.4.1
2.4.2
2.5
2.5.1
2.6
2.6.1
2.6.2
2.7
2.7.1
2.8
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.9.0
2.9.1
2.10
2.11
2.11.1
3.*
3.0
3.0.1
3.0.2
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.4.1
3.1.5
3.1.6
3.1.6.1
3.1.6.2
3.1.7
3.2.0
3.2.1
3.2.2
3.2.3
3.2.3.1
3.2.4
3.2.4.1
3.2.4.2
3.2.5
3.2.6.1
3.2.6.2
3.2.6.3
3.2.6.4
3.2.7
3.3.0
3.3.0.1
3.3.0.2
3.3.0.3
3.3.0.4
3.3.1
3.3.1.1
3.4.0
3.4.0.1
3.4.0.2
3.4.0.3
3.4.0.4
3.4.0.5
4.*
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.6
4.0.7
4.0.8
4.1.0
4.1.1
4.1.2
4.2.0
4.2.1
4.3.0
4.3.0.1
4.3.0.3
4.3.0.4
4.3.0.5
4.3.0.6
4.3.0.7
4.3.0.8
4.3.1
4.3.2
4.3.3
4.4.0
4.4.1
4.5.0
4.5.0.1
4.5.0.2
4.5.0.3
4.5.0.4
4.5.0.5
4.5.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/glances/PYSEC-2026-2168.yaml"