CVE-2026-32633 in glancesinformação

Sumário

de MITRE • 18/03/2026

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsável

GitHub M

Reservar

12/03/2026

Divulgação

18/03/2026

Moderação

aceite

Entrada

VDB-351587

CPE

pronto

CWE

CWE-200 (confirmado)

CVSS

9.1 (CNA)

EPSS

0.00103

KEV

não

Atividades

muito baixo

Fontes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-32633
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-32633
CVE Details	https://www.cvedetails.com/cve/CVE-2026-32633/

◂ Voltar Visão Geral Próximo ▸

Do you know our Splunk app?

Download it now for free!