Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
Published: 2026-04-20
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential Leakage via SSRF
Action: Patch Now
AI Analysis

Impact

The Glances IP plugin contains an SSRF flaw (CWE-918). The public_api parameter is used as‑is in outbound HTTP requests, without scheme or hostname validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. If public_username and public_password are set, these credentials are automatically included in the Authorization: Basic header, thereby leaking them to the target endpoint. This flaw allows an attacker to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP.

Affected Systems

The vulnerability affects the open‑source system monitoring tool Glances provided by nicolargo. Versions prior to 4.5.4 are vulnerable; the fix is available in version 4.5.4 and later.

Risk and Exploitability

The CVSS score of 7.3 indicates high severity. The EPSS score is less than 1%, and the vulnerability is not listed in the CISA KEV catalog. Exploitability requires the attacker to have the ability to modify Glances configuration or otherwise inject custom values for the public_api parameter. From the description, the likely attack vector is local configuration tampering or a privileged interface that can alter the config. Once the flaw is triggered, the application can reach any endpoint accessible from the host, including internal services, cloud metadata servers, or attacker‑controlled servers, potentially leaking authentication credentials. The high CVSS score combined with unrestricted outbound connectivity highlights significant risk if not patched promptly.

Generated by OpenCVE AI on April 21, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.4 or later to apply the official patch.
  • If upgrading is not immediately possible, reconfigure the Glances IP plugin to remove or secure the public_api parameter—disable it or restrict it to trusted hosts, and eliminate public_username and public_password from the configuration until the update can be made.
  • As a temporary measure, block outbound connections from the Glances process using a firewall or network policy until the CVE is fixed.

Generated by OpenCVE AI on April 21, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g5pq-48mj-jvw8 Glances has SSRF in IP Plugin via public_api leading to credential leakage
History

Thu, 23 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Mon, 20 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
Title Glances IP Plugin has SSRF via public_api that leads to credential leakage
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T14:01:47.583Z

Reserved: 2026-04-03T20:09:02.828Z

Link: CVE-2026-35587

cve-icon Vulnrichment

Updated: 2026-04-21T13:40:26.237Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T00:16:29.030

Modified: 2026-04-23T18:42:27.420

Link: CVE-2026-35587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses