CVE-2026-32634

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2

Description Glances, a system cross-platform monitoring tool, contains a flaw in Central Browser mode. The software stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but connection URIs are built using the untrusted advertised name instead of the discovered IP. When a dynamic server is marked as protected, Glances uses the untrusted name as the key for saved passwords and the global default credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf, causing the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This impacts both the background polling path and the REST/WebUI click-through path. The vulnerability arises because the software uses the untrusted advertised name for password lookup and URI construction instead of the discovered IP address. The password lookup falls back to a global default password if an exact match is not found. The secret sent over the network is a reusable Glances authentication credential, specifically a hash of the configured password.

Recommendations Versions prior to 4.5.2 should be updated to version 4.5.2 or later. Use the discovered IP address as the only network destination for autodiscovered servers. Do not automatically apply saved or default passwords to dynamic entries.