Executive Summary

CVE-2026-35587 is a Server-Side Request Forgery (SSRF) vulnerability in the Glances IP plugin prior to version 4.5.4. It occurs because the `public_api` configuration parameter is used directly in outbound HTTP requests without validating the URL scheme, hostname, or IP address.

An attacker who can modify the Glances configuration can set `public_api` to an arbitrary URL, including internal network addresses or cloud metadata endpoints. This allows the attacker to force Glances to send HTTP requests to arbitrary internal or external endpoints.

If `public_username` and `public_password` are set, Glances automatically includes these credentials in the Authorization: Basic header, which can leak sensitive credentials to attacker-controlled servers.

The root cause is the lack of validation on the `public_api` parameter before use, allowing unrestricted outbound connections and unintended disclosure of sensitive information.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several serious impacts:

• An attacker can perform SSRF attacks to access internal network services that are normally inaccessible.
• Sensitive data from cloud metadata endpoints, such as IAM tokens or other credentials, can be retrieved.
• Credentials configured in Glances (`public_username` and `public_password`) can be leaked to attacker-controlled servers via the Authorization header.
• Attackers can inject arbitrary data into Glances by controlling responses from malicious servers, which may then be exposed via Glances' API.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Glances configuration file contains a `public_api` parameter set to an arbitrary or suspicious URL, especially those pointing to internal IP addresses (e.g., 127.0.0.1, 192.168.x.x) or cloud metadata endpoints (e.g., 169.254.169.254).

You can monitor outbound HTTP requests made by Glances to detect unexpected connections to internal or external endpoints that should not be contacted.

Suggested commands include:

• Inspect the Glances configuration file for the `public_api` setting, for example: `grep public_api /path/to/glances.conf`
• Use network monitoring tools like `tcpdump` or `wireshark` to capture outbound HTTP requests from the Glances process, e.g., `sudo tcpdump -i any -nn port 80 or port 443 and host <glances_host>`
• Check for unexpected HTTP requests with credentials by running a listener on a test port and observing incoming requests, e.g., `nc -lvp 9999` to catch SSRF attempts if you suspect exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading Glances to version 4.5.4 or later, where the vulnerability is patched.

If upgrading is not immediately possible, you should:

• Remove or restrict the `public_api` configuration parameter to only trusted URLs with validated schemes (http or https).
• Disable the IP plugin or the public API feature in Glances to prevent outbound HTTP requests triggered by this vulnerability.
• Avoid setting `public_username` and `public_password` in the configuration to prevent credential leakage.
• Monitor logs for warnings about forbidden URL schemes or failed public IP fetch attempts, which indicate attempts to exploit the vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Glances allows an attacker to perform Server-Side Request Forgery (SSRF) attacks, which can lead to unauthorized access to internal network services and cloud metadata endpoints. This can result in the exposure of sensitive data and credentials.

Such unauthorized access and credential leakage could lead to violations of data protection regulations like GDPR and HIPAA, as sensitive personal or health-related data might be exposed or accessed without proper authorization.

Specifically, the leakage of credentials and access to internal or cloud metadata services could compromise confidentiality and integrity of protected data, thereby impacting compliance with these standards.

Useful 0 Not Useful 0