Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.
Published: 2026-03-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Glances allows a local network attacker to spoof a Zeroconf advertisement for a Glances server. Glances incorrectly uses the untrusted advertised name to build connection URIs and to look up stored credentials for protected servers. This behavior results in Glances automatically sending a reusable authentication secret to the attacker-controlled host. The impact is the disclosure of authentication credentials that can grant unauthorized access to the Glances system. The weakness can be classified as CWE-346 and CWE-522.

Affected Systems

Affected systems include the open-source Glances monitoring tool from the vendor nicolargo. Versions prior to 4.5.2 are vulnerable. The issue was addressed in release 4.5.2, which corrects the use of the advertised name in connection logic.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity, while the EPSS score is below 1% and the issue is not currently listed in the CISA KEV catalogue. Exploitation requires the attacker to be on the same local network and to advertise a fake Glances service via Zeroconf. Because the attack vector is limited to a local network and the probability of exploitation is low, the risk is moderate to high for environments where Glances Central Browser mode is enabled and exposed to untrusted local networks. Prompt patching and network segmentation are advisable.

Generated by OpenCVE AI on March 19, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.2 or newer

Generated by OpenCVE AI on March 19, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vx5f-957p-qpvm Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
History

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.
Title Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers
Weaknesses CWE-346
CWE-522
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:36:07.432Z

Reserved: 2026-03-12T15:29:36.559Z

Link: CVE-2026-32634

cve-icon Vulnrichment

Updated: 2026-03-18T18:35:59.754Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:29.097

Modified: 2026-03-19T19:03:47.010

Link: CVE-2026-32634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:05Z

Weaknesses