CVE-2026-32634
published 2026-03-18CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised…
PriorityP346high8.1CVSS 3.1
AVAACLPRNUINSUCHIHAN
EPSS
0.28%
19.9th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv8.1HIGH
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 8.1
CVE-2026-32634 [HIGH] CVE-2026-32634: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Brow
GHSA
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
ghsa·2026-03-16
CVE-2026-32634 [HIGH] CWE-346 Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
## Summary
In Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential.
An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through pa
OSV
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
osv·2026-03-16
CVE-2026-32634 [HIGH] Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
## Summary
In Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential.
An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through pa
Debian
CVE-2026-32634: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
vendor_debian·2026·CVSS 8.1
CVE-2026-32634 [HIGH] CVE-2026-32634: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Brow
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32634 [HIGH] CVE-2026-32634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32634 :
Python vulnerability analysis and mitigation
[passwords] default
Source : NVD
## 8.1
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
Nix Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assess
Bugzilla
CVE-2026-32634 glances: Central Browser autodiscovery leaks reusable credentials to Zeroconf-spoofed servers [fedora-all]
bugzilla·2026-03-18·CVSS 8.1
CVE-2026-32634 [HIGH] CVE-2026-32634 glances: Central Browser autodiscovery leaks reusable credentials to Zeroconf-spoofed servers [fedora-all]
CVE-2026-32634 glances: Central Browser autodiscovery leaks reusable credentials to Zeroconf-spoofed servers [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32634 glances: Central Browser autodiscovery leaks reusable credentials to Zeroconf-spoofed servers [epel-all]
bugzilla·2026-03-18·CVSS 8.1
CVE-2026-32634 [HIGH] CVE-2026-32634 glances: Central Browser autodiscovery leaks reusable credentials to Zeroconf-spoofed servers [epel-all]
CVE-2026-32634 glances: Central Browser autodiscovery leaks reusable credentials to Zeroconf-spoofed servers [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
2026-03-18
Published