top of page
perceptive_background_267k.jpg

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw …

Published:

17 March 2026 at 23:00:00

Alert date:

18 March 2026 at 19:04:01

Source:

nvd.nist.gov

Click to open the original link from this advisory

Security Tools, Network Infrastructure

CVE-2026-32633 affects Glances, an open-source cross-platform system monitoring tool, prior to version 4.5.2. In Central Browser mode, the /api/4/serverslist endpoint exposes raw server objects containing embedded HTTP Basic credentials for downstream Glances servers. When the front Glances Browser/API instance runs without --password flag (common in internal deployments), the endpoint becomes completely unauthenticated. Network users can retrieve reusable pbkdf2-derived authentication credentials for protected downstream servers after they've been polled. This allows unauthorized access to protected Glances server instances through credential exposure. Version 4.5.2 resolves the vulnerability.

Technical details

Mitigation steps:

Affected products:

Glances

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-32633
https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e
https://github.com/nicolargo/glances/releases/tag/v4.5.2
https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page