Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw …

CVE-2026-32633 affects Glances, an open-source cross-platform system monitoring tool, prior to version 4.5.2. In Central Browser mode, the /api/4/serverslist endpoint exposes raw server objects containing embedded HTTP Basic credentials for downstream Glances servers. When the front Glances Browser/API instance runs without --password flag (common in internal deployments), the endpoint becomes completely unauthenticated. Network users can retrieve reusable pbkdf2-derived authentication credentials for protected downstream servers after they've been polled. This allows unauthorized access to protected Glances server instances through credential exposure. Version 4.5.2 resolves the vulnerability.