Can you explain this vulnerability to me?

CVE-2026-32633 is a critical vulnerability in the Glances system monitoring tool affecting versions prior to 4.5.2. In Central Browser mode, the API endpoint `/api/4/serverslist` returns raw server objects that include a `uri` field containing embedded HTTP Basic authentication credentials. These credentials are derived from a pbkdf2-hashed password stored in the Glances configuration.

If the Glances Browser/API instance is started without the `--password` option, which is common in internal network deployments, the `/api/4/serverslist` endpoint is completely unauthenticated. This allows any network user who can reach the API to retrieve reusable hashed credentials for protected downstream Glances servers.

The vulnerability arises because server objects are mutated during background polling to include the `uri` field with embedded credentials, and the frontend JavaScript uses this `uri` directly, exposing sensitive information. Version 4.5.2 fixes this by sanitizing the API responses to remove sensitive fields and changing client-side URL construction.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized disclosure and reuse of authentication credentials for downstream Glances servers.

• Unauthenticated network attackers can retrieve reusable hashed credentials from the `/api/4/serverslist` endpoint if the front-end is started without a password.
• Attackers can replay these credentials to authenticate against protected downstream servers, gaining unauthorized access.
• Since a single Browser instance can hold credentials for multiple downstream servers, this can lead to widespread compromise of an entire fleet of monitored servers.
• Even when a password is set, permissive CORS settings can allow malicious websites to steal credentials from authenticated browser sessions.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the Glances Central Browser API endpoint `/api/4/serverslist` is accessible without authentication and if it returns server objects containing sensitive fields such as `uri` with embedded HTTP Basic credentials.

To detect this on your network or system, you can perform an unauthenticated HTTP GET request to the `/api/4/serverslist` endpoint of the Glances Browser instance and inspect the response for embedded credentials.

• Use curl to query the endpoint: `curl http://<glances-server>:61208/api/4/serverslist`
• Check the JSON response for any `uri` fields containing embedded usernames and hashed passwords in the format `http://username:hashed_password@host:port`.
• If you see such credentials in the response and the endpoint is accessible without authentication, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

• Upgrade Glances to version 4.5.2 or later, where the vulnerability is fixed by sanitizing sensitive fields in the API response.
• If upgrading is not immediately possible, start the Glances Browser/API instance with the `--password` option to enforce authentication on the `/api/4/serverslist` endpoint.
• Restrict network access to the Glances Browser API endpoint to trusted users only, for example by firewall rules or network segmentation.
• Review and adjust CORS settings to prevent credential theft via cross-origin requests.

Useful 0 Not Useful 0