CVE-2026-35587
SSRF and Credential Leakage in Glances IP Plugin Before
Publication date: 2026-04-21
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nicolargo | glances | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35587 is a Server-Side Request Forgery (SSRF) vulnerability in the Glances IP plugin prior to version 4.5.4. It occurs because the `public_api` configuration parameter is used directly in outbound HTTP requests without validating the URL scheme, hostname, or IP address.
An attacker who can modify the Glances configuration can set `public_api` to an arbitrary URL, including internal network addresses or cloud metadata endpoints. This allows the attacker to force Glances to send HTTP requests to arbitrary internal or external endpoints.
If `public_username` and `public_password` are set, Glances automatically includes these credentials in the Authorization: Basic header, which can leak sensitive credentials to attacker-controlled servers.
The root cause is the lack of validation on the `public_api` parameter before use, allowing unrestricted outbound connections and unintended disclosure of sensitive information.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- An attacker can perform SSRF attacks to access internal network services that are normally inaccessible.
- Sensitive data from cloud metadata endpoints, such as IAM tokens or other credentials, can be retrieved.
- Credentials configured in Glances (`public_username` and `public_password`) can be leaked to attacker-controlled servers via the Authorization header.
- Attackers can inject arbitrary data into Glances by controlling responses from malicious servers, which may then be exposed via Glances' API.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Glances configuration file contains a `public_api` parameter set to an arbitrary or suspicious URL, especially those pointing to internal IP addresses (e.g., 127.0.0.1, 192.168.x.x) or cloud metadata endpoints (e.g., 169.254.169.254).
You can monitor outbound HTTP requests made by Glances to detect unexpected connections to internal or external endpoints that should not be contacted.
Suggested commands include:
- Inspect the Glances configuration file for the `public_api` setting, for example: `grep public_api /path/to/glances.conf`
- Use network monitoring tools like `tcpdump` or `wireshark` to capture outbound HTTP requests from the Glances process, e.g., `sudo tcpdump -i any -nn port 80 or port 443 and host <glances_host>`
- Check for unexpected HTTP requests with credentials by running a listener on a test port and observing incoming requests, e.g., `nc -lvp 9999` to catch SSRF attempts if you suspect exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Glances to version 4.5.4 or later, where the vulnerability is patched.
If upgrading is not immediately possible, you should:
- Remove or restrict the `public_api` configuration parameter to only trusted URLs with validated schemes (http or https).
- Disable the IP plugin or the public API feature in Glances to prevent outbound HTTP requests triggered by this vulnerability.
- Avoid setting `public_username` and `public_password` in the configuration to prevent credential leakage.
- Monitor logs for warnings about forbidden URL schemes or failed public IP fetch attempts, which indicate attempts to exploit the vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Glances allows an attacker to perform Server-Side Request Forgery (SSRF) attacks, which can lead to unauthorized access to internal network services and cloud metadata endpoints. This can result in the exposure of sensitive data and credentials.
Such unauthorized access and credential leakage could lead to violations of data protection regulations like GDPR and HIPAA, as sensitive personal or health-related data might be exposed or accessed without proper authorization.
Specifically, the leakage of credentials and access to internal or cloud metadata services could compromise confidentiality and integrity of protected data, thereby impacting compliance with these standards.