CVE-2026-32634
Received Received - Intake
Authentication Secret Exposure via Zeroconf Spoofing in Glances

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-03-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32634
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32634 is a vulnerability in Glances, an open-source cross-platform system monitoring tool, specifically affecting its Central Browser mode with Zeroconf-based dynamic server autodiscovery.

In this mode, Glances stores both the Zeroconf-advertised server name (which is untrusted) and the discovered IP address (which is trusted) for dynamic servers. However, when building connection URIs and looking up passwords, Glances incorrectly uses the untrusted advertised server name instead of the trusted IP address.

If a dynamic server marks itself as protected, Glances uses the advertised server name as the key to retrieve saved passwords or a global default password, hashes this password, and constructs an HTTP Basic Authentication URI embedding the username and hashed password but using the untrusted advertised name as the host.

An attacker on the same local network can exploit this by advertising a fake Glances service via Zeroconf with a malicious service name. When Glances autodiscovers this fake service, it sends the reusable hashed authentication secret to the attacker-controlled host embedded in the URI, allowing the attacker to capture and replay credentials without user interaction.


How can this vulnerability impact me? :

This vulnerability can lead to credential exfiltration and authentication replay attacks for users running Glances in Central Browser mode with Zeroconf autodiscovery enabled and saved or default passwords configured.

An attacker on the same local network can impersonate a Glances server by advertising a fake Zeroconf service, causing Glances to send reusable hashed authentication secrets to the attacker-controlled host automatically.

This allows the attacker to steal authentication credentials without any user interaction and potentially abuse the REST/WebUI by opening attacker-controlled URLs with embedded credentials.

The impact includes high confidentiality and integrity risks, as attackers can gain unauthorized access to monitoring data or control, but availability is not affected.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves Glances in Central Browser mode sending reusable hashed authentication secrets to attacker-controlled hosts when a fake Zeroconf service is advertised on the local network.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your network or system, monitor for unusual Zeroconf (mDNS) advertisements of Glances services with unexpected or suspicious service names.'}, {'type': 'paragraph', 'content': 'Additionally, network traffic analysis can be used to identify HTTP requests from Glances clients to unknown or attacker-controlled IP addresses containing embedded authentication credentials in the URI.'}, {'type': 'list_item', 'content': 'Use a network packet capture tool such as tcpdump or Wireshark to monitor mDNS traffic for suspicious Glances service advertisements: `sudo tcpdump -i <interface> port 5353`'}, {'type': 'list_item', 'content': "Inspect HTTP traffic from Glances clients for URIs containing embedded credentials sent to unexpected hosts: `sudo tcpdump -i <interface> -A 'tcp port 80 or 443'`"}, {'type': 'list_item', 'content': 'Check Glances configuration and logs for dynamic Zeroconf-discovered servers using untrusted advertised names instead of IP addresses.'}] [2]


What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade Glances to version 4.5.2 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, consider disabling Central Browser mode or Zeroconf-based dynamic server autodiscovery to prevent automatic connection to untrusted dynamic servers.

Avoid configuring saved or default passwords for dynamic Zeroconf-discovered servers, as these credentials can be leaked to attacker-controlled hosts.

Monitor your network for suspicious Zeroconf advertisements and unauthorized HTTP requests as described in detection steps.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart