CVE-2026-32633

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2

Description Glances, an open-source system cross-platform monitoring tool, contains a critical issue in its Central Browser mode. The /api/4/serverslist endpoint returns raw server objects that can contain embedded HTTP Basic credentials for downstream Glances servers. If the Glances Browser/API instance is started without the --password flag, which is common in internal network deployments, this endpoint is completely unauthenticated. This allows any network user who can reach the Browser API to retrieve reusable credentials for protected downstream Glances servers. The issue arises because server objects are mutated in-place during background polling, and the uri field may contain credentials derived from a reusable Glances authentication secret. The uri field is not sanitized before being returned in the API response. The vulnerability allows for credential replay against downstream Glances servers.

Recommendations Upgrade to Glances version 4.5.2 or later to resolve this issue.