CVE-2026-32633

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e	Patch
https://github.com/nicolargo/glances/releases/tag/v4.5.2	Release Notes
https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m	Exploit Vendor Advisory
https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-18 18:16

Updated : 2026-03-19 19:04

NVD link : CVE-2026-32633

Mitre link : CVE-2026-32633

CVE.ORG link : CVE-2026-32633

JSON object : View

Products Affected

nicolargo

glances

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-32633", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-03-18T18:16:28.933", "references": [{"url": "https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue."}, {"lang": "es", "value": "Glances es una herramienta de monitoreo de sistema de c\u00f3digo abierto multiplataforma. Antes de la versi\u00f3n 4.5.2, en modo Navegador Central, el endpoint `/api/4/serverslist` devuelve objetos de servidor sin procesar de `GlancesServersList.get_servers_list()`. Esos objetos son mutados in situ durante el sondeo en segundo plano y pueden contener un campo `uri` con credenciales HTTP Basic incrustadas para servidores Glances descendentes, utilizando el secreto de autenticaci\u00f3n de Glances derivado de pbkdf2 reutilizable. Si la instancia frontal de Navegador/API de Glances se inicia sin `--password`, lo cual es compatible y com\u00fan para implementaciones de red internas, `/api/4/serverslist` no est\u00e1 completamente autenticado. Cualquier usuario de red que pueda alcanzar la API del Navegador puede recuperar credenciales reutilizables para servidores Glances descendentes protegidos una vez que hayan sido sondeados por la instancia del navegador. La versi\u00f3n 4.5.2 corrige el problema."}], "lastModified": "2026-03-19T19:04:46.033", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59", "versionEndExcluding": "4.5.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}