CVE-2026-32633 in glancesالمعلومات

الملخص

بحسب MITRE • 18/03/2026

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

GitHub M

حجز

12/03/2026

إفشاء

18/03/2026

الاعتدال

تمت الموافقة

إدخال

VDB-351587

CPE

جاهز

CWE

CWE-200 (مؤكد)

CVSS

9.1 (CNA)

EPSS

0.00103

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-32633
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-32633
CVE Details	https://www.cvedetails.com/cve/CVE-2026-32633/

التالي ▸نظرة عامة ◂ السابق

Want to know what is going to be exploited?

We predict KEV entries!