CVE-2026-32633
published 2026-03-18CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.47%
37.3th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor unauthenticated HTTP GET requests to the `/api/4/serverslist` endpoint on Glances Browser/API instances, especially from unexpected source IPs. Credential leakage occurs when the instance is started without `--password`. ↗
- →Alert on responses from `/api/4/serverslist` that contain a `uri` field with embedded HTTP Basic credentials (i.e., `scheme://user:password@host` format), indicating downstream credential exposure. ↗
- →Identify Glances instances running in Central Browser mode (pre-4.5.2) as high-priority targets; the vulnerability is exploitable by any network-reachable user once downstream servers have been polled. ↗
- ·The vulnerability is only exploitable when the Glances Browser/API instance is running in Central Browser mode AND started without the `--password` flag, which is a common configuration for internal network deployments. ↗
- ·Leaked credentials are pbkdf2-derived and reusable across all downstream Glances servers polled by the browser instance, amplifying the blast radius of a single credential theft. ↗
- ·Debian bookworm and trixie remain unpatched as of the advisory; only forky and sid have the fix (4.5.2+dfsg-1). Fedora (all) and EPEL (all) are also tracked as unresolved. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 9.1
CVE-2026-32633 [CRITICAL] CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser
GHSA
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
ghsa·2026-03-16
CVE-2026-32633 [CRITICAL] CWE-200 Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
## Summary
In Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret.
If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by
OSV
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
osv·2026-03-16
CVE-2026-32633 [CRITICAL] Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
## Summary
In Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret.
If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by
Debian
CVE-2026-32633: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
vendor_debian·2026·CVSS 9.1
CVE-2026-32633 [CRITICAL] CVE-2026-32633: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-32633 [CRITICAL] CVE-2026-32633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32633 :
Python vulnerability analysis and mitigation
/api/4/serverslist
GlancesServersList.get_servers_list()
uri
--password
/api/4/serverslist
Source : NVD
## 9.1
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 19, 2026
Echo Severity CRITICAL No Fix Added at: Mar 19, 2026
pip Severity CRITICAL Has Fix Added at: Mar 17, 2026
Homebrew Severity CRITICAL Has Fix Add
Bugzilla
CVE-2026-32633 glances: browser API exposes reusable downstream credentials via '/api/4/serverslist' [fedora-all]
bugzilla·2026-03-18·CVSS 9.1
CVE-2026-32633 [CRITICAL] CVE-2026-32633 glances: browser API exposes reusable downstream credentials via '/api/4/serverslist' [fedora-all]
CVE-2026-32633 glances: browser API exposes reusable downstream credentials via '/api/4/serverslist' [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32633 glances: browser API exposes reusable downstream credentials via '/api/4/serverslist' [epel-all]
bugzilla·2026-03-18·CVSS 9.1
CVE-2026-32633 [CRITICAL] CVE-2026-32633 glances: browser API exposes reusable downstream credentials via '/api/4/serverslist' [epel-all]
CVE-2026-32633 glances: browser API exposes reusable downstream credentials via '/api/4/serverslist' [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
2026-03-18
Published