Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

INFO

Published Date :

2026-03-18T17:53:11.263Z

Last Modified :

2026-03-18T18:35:27.562Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32633 vulnerability.

Vendors Products
Nicolargo
  • Glances
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32633.

URL Resource
https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e cve-icon cve-icon
https://github.com/nicolargo/glances/releases/tag/v4.5.2 cve-icon cve-icon
https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact