Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
Published: 2026-03-18
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Patch
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker who can reach the Glances Browser API endpoint `/api/4/serverslist` to retrieve raw server objects that contain a `uri` field embedding HTTP Basic credentials for downstream Glances servers. These credentials are generated from a reusable pbkdf2-derived secret and are stored in memory via `GlancesServersList.get_servers_list()`. Exposing these credentials compromises the confidentiality and integrity of the downstream servers, potentially allowing an attacker to gain unauthorized access and control. The issue is a classic Information Exposure (CWE-200) and Sensitive Data Storage (CWE-522) scenario.

Affected Systems

All versions of the open‑source monitoring tool Glances from the vendor nicolargo, prior to the release of version 4.5.2, are affected. The problem appears only in Central Browser mode and when the Browser/API instance is started without the --password flag, which is frequently used in internal network deployments.

Risk and Exploitability

The flaw has a CVSS score of 9.1, indicating high severity, but an EPSS score of less than 1%, implying a low current probability of exploitation. It is not listed in CISA’s KEV catalog. The attack vector is network-based: any host that can reach the unauthenticated Browser API can pull the downstream credentials. Once obtained, the attacker can authenticate to downstream Glances servers, potentially taking full control of those systems. The lack of authentication on the endpoint combined with the exposure of reusable credentials makes exploitation straightforward for privileged network users.

Generated by OpenCVE AI on March 19, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.2 or later.
  • If upgrade is not possible, start the Browser/API instance with the --password option to enable authentication.
  • Restrict network access to the Browser API endpoint to trusted hosts or subnets using a firewall or ACL.
  • Consider disabling the Browser API if it is not required for your environment.
  • Monitor for any unexpected outbound connections or credential usage from downstream Glances servers.

Generated by OpenCVE AI on March 19, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r297-p3v4-wp8m Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
History

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
Title Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
Weaknesses CWE-200
CWE-522
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:35:27.562Z

Reserved: 2026-03-12T15:29:36.559Z

Link: CVE-2026-32633

cve-icon Vulnrichment

Updated: 2026-03-18T18:35:16.287Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:28.933

Modified: 2026-03-19T19:04:46.033

Link: CVE-2026-32633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:09Z

Weaknesses