CVE-2026-32633 Overview
Glances, an open-source cross-platform system monitoring tool, contains a critical credential exposure vulnerability in its Central Browser mode. Prior to version 4.5.2, the /api/4/serverslist endpoint returns raw server objects from GlancesServersList.get_servers_list() that can contain embedded HTTP Basic credentials including the reusable pbkdf2-derived Glances authentication secret used for downstream server authentication.
Critical Impact
Unauthenticated attackers with network access to the Browser API can retrieve reusable credentials for protected downstream Glances servers, enabling lateral movement and unauthorized access to monitored infrastructure.
Affected Products
- Nicolargo Glances versions prior to 4.5.2
- Glances Central Browser mode deployments without --password flag
- Internal network deployments with unauthenticated API access
Discovery Timeline
- 2026-03-18 - CVE-2026-32633 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32633
Vulnerability Analysis
This vulnerability represents an information disclosure issue (CWE-200) combined with insufficiently protected credentials (CWE-522). The root cause lies in how Glances handles server credential data in its Central Browser mode architecture.
When Glances operates in Central Browser mode, it maintains a list of monitored downstream Glances servers. The /api/4/serverslist endpoint exposes this list directly by returning raw server objects from the GlancesServersList.get_servers_list() function. These objects are mutated in-place during background polling operations and can contain a uri field with embedded HTTP Basic credentials.
The vulnerability is particularly dangerous because when the front Glances Browser/API instance is started without the --password flag—a supported and common configuration for internal network deployments—the /api/4/serverslist endpoint becomes completely unauthenticated. This means any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers after they have been polled by the browser instance.
Root Cause
The vulnerability stems from improper handling of sensitive credential data in the API response. Server objects containing authentication secrets are returned directly to API consumers without sanitization. The uri field containing embedded HTTP Basic credentials with pbkdf2-derived authentication secrets is exposed in plain text through the API, allowing attackers to harvest these credentials for unauthorized access to downstream monitoring infrastructure.
Attack Vector
The attack requires network access to a Glances Browser instance running without password protection. An attacker can exploit this vulnerability by:
- Identifying a Glances Central Browser instance on the network
- Querying the /api/4/serverslist endpoint without authentication
- Extracting embedded credentials from the returned server objects
- Using harvested credentials to access protected downstream Glances servers
The following patch from the security fix shows changes to the server configuration handling:
#server_3_name=192.168.0.17
#server_3_alias=Another PC on my network
#server_3_port=61209
-#server_1_protocol=rpc
+#server_3_protocol=rpc
#server_4_name=notagooddefinition
#server_4_port=61237
Source: GitHub Commit Changes
Detection Methods for CVE-2026-32633
Indicators of Compromise
- Unexpected HTTP requests to /api/4/serverslist endpoint from unknown IP addresses
- Multiple sequential API queries from the same source attempting to enumerate server credentials
- Authentication attempts against downstream Glances servers using credentials not provisioned through normal channels
- Network traffic patterns showing reconnaissance activity targeting Glances API endpoints
Detection Strategies
- Monitor web server access logs for requests to the /api/4/serverslist endpoint, particularly from external or unexpected internal sources
- Implement network intrusion detection rules to alert on unauthenticated access to Glances API endpoints
- Review authentication logs on downstream Glances servers for suspicious login attempts correlating with API enumeration activity
- Deploy application-level logging to track API endpoint access patterns and identify anomalous behavior
Monitoring Recommendations
- Enable detailed access logging on all Glances instances and forward logs to centralized SIEM for correlation analysis
- Implement network segmentation monitoring to detect lateral movement attempts using harvested credentials
- Configure alerts for failed authentication attempts on downstream Glances servers that may indicate credential replay attacks
- Establish baseline API access patterns to identify deviations indicative of exploitation attempts
How to Mitigate CVE-2026-32633
Immediate Actions Required
- Upgrade all Glances installations to version 4.5.2 or later immediately
- Enable password authentication on all Glances Browser instances using the --password flag until patches can be applied
- Audit network access controls to restrict who can reach Glances API endpoints
- Review access logs for evidence of exploitation and rotate credentials on any potentially compromised downstream servers
Patch Information
The vulnerability is fixed in Glances version 4.5.2. The patch sanitizes server objects before returning them via the API, removing embedded credentials from the response. For detailed information about the fix, refer to the GitHub Security Advisory GHSA-r297-p3v4-wp8m and the GitHub Release Version 4.5.2.
Workarounds
- Enable authentication on Glances Browser instances by starting with the --password flag to require authentication for API access
- Implement network-level access controls (firewall rules, ACLs) to restrict access to Glances API endpoints to authorized management systems only
- Deploy a reverse proxy with authentication in front of Glances instances to add an additional authentication layer
- Segment monitoring infrastructure from general network access to limit the attack surface
# Enable password authentication on Glances Browser instance
glances --browser --password
# Alternative: Configure authentication in glances.conf
# [passwords]
# server_password=your_secure_password
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
