CVE-2026-32634: Nicolargo Glances Auth Bypass Vulnerability

CVE-2026-32634 Overview

CVE-2026-32634 is an Origin Validation Error (CWE-346) vulnerability affecting Glances, an open-source cross-platform system monitoring tool. In Central Browser mode, Glances improperly trusts Zeroconf-advertised server names when building connection URIs and looking up saved passwords, rather than using the discovered IP addresses. This design flaw allows an attacker on the same local network to advertise a fake Glances service and capture reusable authentication credentials when the browser attempts to connect.

The vulnerability affects both the background polling path and the REST/WebUI click-through path in Central Browser mode, making it a significant risk for organizations using Glances in networked environments with Zeroconf service discovery enabled.

Critical Impact
An attacker on the local network can exfiltrate Glances authentication secrets by advertising a malicious Zeroconf service, enabling credential theft and potential lateral movement.

Affected Products

Nicolargo Glances versions prior to 4.5.2
Glances Central Browser mode deployments with Zeroconf discovery enabled
Any Glances installation using saved passwords or default credentials in the [passwords] configuration

Discovery Timeline

2026-03-18 - CVE-2026-32634 published to NVD
2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32634

Vulnerability Analysis

This vulnerability stems from a trust boundary violation in how Glances handles Zeroconf (mDNS/DNS-SD) service discovery in Central Browser mode. When Glances discovers servers via Zeroconf, it stores both the advertised server name (untrusted, attacker-controlled) and the discovered IP address. However, critical operations—including URI construction for connections and password lookups—use the untrusted advertised name rather than the verified IP address.

When a dynamic server reports itself as "protected," Glances uses the untrusted name as the lookup key for saved passwords in the [passwords] section and falls back to the global [passwords] default credential. This creates a scenario where an attacker can advertise a fake service with a name matching a legitimate server entry, causing Glances to send stored credentials to the attacker-controlled endpoint.

Root Cause

The root cause is improper origin validation when handling dynamically discovered Zeroconf services. The client_browser.py module called self.servers_list.password.get_password(server['name']) to retrieve passwords, where server['name'] is the untrusted advertised name rather than a verified identifier. Similarly, connection URIs were built using this untrusted name, allowing attackers to redirect connections.

The vulnerability exists because dynamic (Zeroconf) server entries were treated with the same trust level as preconfigured static entries, despite the advertised name being fully attacker-controlled in a network spoofing scenario.

Attack Vector

The attack requires adjacent network access, meaning the attacker must be on the same local network segment as the Glances Central Browser instance. The attack workflow involves:

The attacker advertises a fake Glances service via Zeroconf with a crafted server name
Glances Central Browser discovers the fake service and adds it to the servers list
When Glances attempts to connect (either via background polling or user click-through), it uses the attacker's advertised name for password lookup
If a matching password exists or a default credential is configured, Glances sends these credentials to the attacker's server
The attacker captures reusable authentication secrets for potential replay attacks

The following patch demonstrates the security fix implemented in version 4.5.2:

python

         # A password is needed to access to the server's stats
         if server['password'] is None:
             # First of all, check if a password is available in the [passwords] section
-            clear_password = self.servers_list.password.get_password(server['name'])
+            # Use _get_preconfigured_password to avoid leaking saved/default credentials
+            # to untrusted dynamic (Zeroconf) server entries
+            clear_password = self.servers_list._get_preconfigured_password(server)
             if (
                 clear_password is None
                 or self.servers_list.get_servers_list()[self.screen.active_server]['status'] == 'PROTECTED'

Source: GitHub Commit 61d38ee

The fix introduces new methods to properly handle dynamic servers:

python

                 self.threads_list[key] = thread
                 thread.start()

+    @staticmethod
+    def _get_connect_host(server):
+        """Return the host to use for connecting to the server.
+
+        For dynamic (Zeroconf) servers, use the discovered IP address
+        instead of the untrusted advertised name.
+        """
+        if server.get('type') == 'DYNAMIC':
+            return server['ip']
+        return server['name']
+
+    def _get_preconfigured_password(self, server):
+        """Return the preconfigured password for the server.
+
+        Dynamic (Zeroconf) entries are untrusted and should not inherit
+        saved or default credentials to prevent credential exfiltration
+        via fake Zeroconf services.
+        """
+        if server.get('type') == 'DYNAMIC':
+            return None
+        return self.password.get_password(server['name'])
+
     def get_uri(self, server):
         """Return the URI for the given server dict."""
+        host = self._get_connect_host(server)
         # Select the connection mode (with or without password)
         if server['password'] != "":

Source: GitHub Commit 61d38ee

Detection Methods for CVE-2026-32634

Indicators of Compromise

Unexpected Zeroconf service advertisements for Glances on the local network with unfamiliar server names
Failed authentication attempts from Glances Central Browser to unknown IP addresses
Network traffic showing Glances credentials being sent to non-legitimate server endpoints
Unusual mDNS/DNS-SD traffic patterns indicating potential service spoofing

Detection Strategies

Monitor mDNS/Zeroconf traffic for anomalous Glances service advertisements, particularly those with server names matching legitimate servers but different IP addresses
Implement network segmentation monitoring to detect adjacent network attacks targeting service discovery protocols
Review Glances Central Browser logs for connection attempts to unexpected hosts
Deploy network intrusion detection signatures for Zeroconf spoofing patterns

Monitoring Recommendations

Enable verbose logging in Glances Central Browser mode to capture server discovery and connection events
Monitor network traffic for Glances authentication exchanges to validate destination endpoints
Implement alerting for new Zeroconf service registrations on critical network segments
Conduct regular audits of discovered servers in Glances Central Browser to identify suspicious entries

How to Mitigate CVE-2026-32634

Immediate Actions Required

Upgrade Glances to version 4.5.2 or later immediately
Review and audit any shared or default passwords configured in the Glances [passwords] section
Rotate credentials that may have been exposed if Glances was running in Central Browser mode with Zeroconf enabled
Consider disabling Zeroconf discovery until the patch is applied, using only preconfigured static server entries

Patch Information

The vulnerability is fixed in Glances version 4.5.2. The patch introduces two key changes: dynamic (Zeroconf) servers now use the discovered IP address for connections via _get_connect_host(), and the new _get_preconfigured_password() method prevents saved or default credentials from being sent to untrusted dynamic servers.

For detailed patch information, see the GitHub Security Advisory GHSA-vx5f-957p-qpvm and release notes for version 4.5.2.

Workarounds

Disable Zeroconf service discovery in Glances by using only manually configured static server entries
Remove default credentials from the [passwords] section of the Glances configuration
Implement network segmentation to isolate Glances Central Browser instances from untrusted network segments
Use firewall rules to restrict mDNS traffic (UDP port 5353) on networks running Glances Central Browser

bash

# Configuration example - Disable default password inheritance
# In glances.conf, remove or comment out default password entries
[passwords]
# default=yourpassword  # REMOVE THIS LINE to prevent credential leakage
# Instead, use only explicit server entries after upgrading to 4.5.2

CVE-2026-32634 Overview

Critical Impact
An attacker on the local network can exfiltrate Glances authentication secrets by advertising a malicious Zeroconf service, enabling credential theft and potential lateral movement.

Affected Products

Nicolargo Glances versions prior to 4.5.2
Glances Central Browser mode deployments with Zeroconf discovery enabled
Any Glances installation using saved passwords or default credentials in the [passwords] configuration

Discovery Timeline

2026-03-18 - CVE-2026-32634 published to NVD
2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32634

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires adjacent network access, meaning the attacker must be on the same local network segment as the Glances Central Browser instance. The attack workflow involves:

The attacker advertises a fake Glances service via Zeroconf with a crafted server name
Glances Central Browser discovers the fake service and adds it to the servers list
When Glances attempts to connect (either via background polling or user click-through), it uses the attacker's advertised name for password lookup
If a matching password exists or a default credential is configured, Glances sends these credentials to the attacker's server
The attacker captures reusable authentication secrets for potential replay attacks

The following patch demonstrates the security fix implemented in version 4.5.2:

python

         # A password is needed to access to the server's stats
         if server['password'] is None:
             # First of all, check if a password is available in the [passwords] section
-            clear_password = self.servers_list.password.get_password(server['name'])
+            # Use _get_preconfigured_password to avoid leaking saved/default credentials
+            # to untrusted dynamic (Zeroconf) server entries
+            clear_password = self.servers_list._get_preconfigured_password(server)
             if (
                 clear_password is None
                 or self.servers_list.get_servers_list()[self.screen.active_server]['status'] == 'PROTECTED'

Source: GitHub Commit 61d38ee

The fix introduces new methods to properly handle dynamic servers:

python

                 self.threads_list[key] = thread
                 thread.start()

+    @staticmethod
+    def _get_connect_host(server):
+        """Return the host to use for connecting to the server.
+
+        For dynamic (Zeroconf) servers, use the discovered IP address
+        instead of the untrusted advertised name.
+        """
+        if server.get('type') == 'DYNAMIC':
+            return server['ip']
+        return server['name']
+
+    def _get_preconfigured_password(self, server):
+        """Return the preconfigured password for the server.
+
+        Dynamic (Zeroconf) entries are untrusted and should not inherit
+        saved or default credentials to prevent credential exfiltration
+        via fake Zeroconf services.
+        """
+        if server.get('type') == 'DYNAMIC':
+            return None
+        return self.password.get_password(server['name'])
+
     def get_uri(self, server):
         """Return the URI for the given server dict."""
+        host = self._get_connect_host(server)
         # Select the connection mode (with or without password)
         if server['password'] != "":

Source: GitHub Commit 61d38ee

Detection Methods for CVE-2026-32634

Indicators of Compromise

Unexpected Zeroconf service advertisements for Glances on the local network with unfamiliar server names
Failed authentication attempts from Glances Central Browser to unknown IP addresses
Network traffic showing Glances credentials being sent to non-legitimate server endpoints
Unusual mDNS/DNS-SD traffic patterns indicating potential service spoofing

Detection Strategies

Monitor mDNS/Zeroconf traffic for anomalous Glances service advertisements, particularly those with server names matching legitimate servers but different IP addresses
Implement network segmentation monitoring to detect adjacent network attacks targeting service discovery protocols
Review Glances Central Browser logs for connection attempts to unexpected hosts
Deploy network intrusion detection signatures for Zeroconf spoofing patterns

Monitoring Recommendations

Enable verbose logging in Glances Central Browser mode to capture server discovery and connection events
Monitor network traffic for Glances authentication exchanges to validate destination endpoints
Implement alerting for new Zeroconf service registrations on critical network segments
Conduct regular audits of discovered servers in Glances Central Browser to identify suspicious entries

How to Mitigate CVE-2026-32634

Immediate Actions Required

Upgrade Glances to version 4.5.2 or later immediately
Review and audit any shared or default passwords configured in the Glances [passwords] section
Rotate credentials that may have been exposed if Glances was running in Central Browser mode with Zeroconf enabled
Consider disabling Zeroconf discovery until the patch is applied, using only preconfigured static server entries

Patch Information

For detailed patch information, see the GitHub Security Advisory GHSA-vx5f-957p-qpvm and release notes for version 4.5.2.

Workarounds

Disable Zeroconf service discovery in Glances by using only manually configured static server entries
Remove default credentials from the [passwords] section of the Glances configuration
Implement network segmentation to isolate Glances Central Browser instances from untrusted network segments
Use firewall rules to restrict mDNS traffic (UDP port 5353) on networks running Glances Central Browser

bash

# Configuration example - Disable default password inheritance
# In glances.conf, remove or comment out default password entries
[passwords]
# default=yourpassword  # REMOVE THIS LINE to prevent credential leakage
# Instead, use only explicit server entries after upgrading to 4.5.2

CVE-2026-32634: Nicolargo Glances Auth Bypass Vulnerability

CVE-2026-32634 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32634

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32634

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32634

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-32634: Nicolargo Glances Auth Bypass Vulnerability

CVE-2026-32634 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-32634

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-32634

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-32634

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform