CVE-2026-35587: Glances has SSRF in IP Plugin via public_api leading to credential leakage
(updated )
A Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation.
An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers.
This vulnerability can be exploited to:
Access internal network services (e.g., 127.0.0.1, 192.168.x.x) Retrieve sensitive data from cloud metadata endpoints (e.g., 169.254.169.254) Exfiltrate credentials via outbound HTTP requests
The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information.
References
- github.com/advisories/GHSA-g5pq-48mj-jvw8
- github.com/nicolargo/glances
- github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb
- github.com/nicolargo/glances/releases/tag/v4.5.4
- github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8
- nvd.nist.gov/vuln/detail/CVE-2026-35587
Code Behaviors & Features
Detect and mitigate CVE-2026-35587 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →