CVE-2026-32633: Glances's Browser API Exposes Reusable Downstream Credentials via `/api/4/serverslist`
(updated )
In Central Browser mode, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.get_servers_list(). Those objects are mutated in-place during background polling and can contain a uri field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret.
If the front Glances Browser/API instance is started without --password, which is supported and common for internal network deployments, /api/4/serverslist is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance.
References
- github.com/advisories/GHSA-r297-p3v4-wp8m
- github.com/nicolargo/glances
- github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e
- github.com/nicolargo/glances/releases/tag/v4.5.2
- github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m
- nvd.nist.gov/vuln/detail/CVE-2026-32633
Code Behaviors & Features
Detect and mitigate CVE-2026-32633 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →