CVE-2026-35587

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.4

Description A Server-Side Request Forgery (SSRF) issue exists in the Glances IP plugin due to improper validation of the public api configuration parameter. The value of public api is passed directly to the urlopen auth() function without restrictions on the URL scheme, hostname, or IP address. An attacker capable of modifying the configuration can force the application to send requests to arbitrary internal or external endpoints, such as localhost, private network ranges, or cloud metadata endpoints (e.g., 'http://169.254.169.254/'). Furthermore, if public username and public password are configured, Glances automatically includes these credentials in the Authorization: Basic header, leading to credential leakage to attacker-controlled servers.

Recommendations Update to version 4.5.4. As a temporary workaround, avoid using the public api parameter in the IP plugin configuration until the update is applied.