cbcvebase.
CVE-2026-32633
published 2026-03-18

CVE-2026-32633: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw…

PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.47%
37.3th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianglances< glances 4.5.2+dfsg-1 (forky)glances 4.5.2+dfsg-1 (forky)
glances_projectglances>= 0 < 4.5.2+dfsg-14.5.2+dfsg-1
glances_projectglances>= 0 < 4.5.24.5.2
nicolargoglances< 4.5.24.5.2

Detection & IOCsextracted from sources · hover to see the quote

url/api/4/serverslist
  • Monitor unauthenticated HTTP GET requests to the `/api/4/serverslist` endpoint on Glances Browser/API instances, especially from unexpected source IPs. Credential leakage occurs when the instance is started without `--password`.
  • Alert on responses from `/api/4/serverslist` that contain a `uri` field with embedded HTTP Basic credentials (i.e., `scheme://user:password@host` format), indicating downstream credential exposure.
  • Identify Glances instances running in Central Browser mode (pre-4.5.2) as high-priority targets; the vulnerability is exploitable by any network-reachable user once downstream servers have been polled.
  • ·The vulnerability is only exploitable when the Glances Browser/API instance is running in Central Browser mode AND started without the `--password` flag, which is a common configuration for internal network deployments.
  • ·Leaked credentials are pbkdf2-derived and reusable across all downstream Glances servers polled by the browser instance, amplifying the blast radius of a single credential theft.
  • ·Debian bookworm and trixie remain unpatched as of the advisory; only forky and sid have the fix (4.5.2+dfsg-1). Fedora (all) and EPEL (all) are also tracked as unresolved.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.