CVE-2026-32633
Published: 18 March 2026
Summary
CVE-2026-32633 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Nicolargo Glances. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits permitting unauthorized access to the /api/4/serverslist endpoint without identification and authentication, directly addressing the unauthenticated exposure of credentials.
Enforces access controls to prevent network users from retrieving sensitive server objects containing embedded credentials via the unauthenticated endpoint.
Filters sensitive credential information from API responses to prevent exposure of raw server objects with embedded HTTP Basic credentials.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability exposes embedded credentials via unauthenticated public API endpoint (/api/4/serverslist) in Glances Browser mode, directly enabling remote exploitation of a public-facing application (T1190) and retrieval of unsecured credentials (T1552) for downstream servers.
NVD Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with…
more
embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.
Deeper analysisAI
CVE-2026-32633 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting Glances, an open-source cross-platform system monitoring tool, in versions prior to 4.5.2. In Central Browser mode, the `/api/4/serverslist` endpoint exposes raw server objects returned by `GlancesServersList.get_servers_list()`. These objects are mutated in-place during background polling and may include a `uri` field containing embedded HTTP Basic credentials for downstream Glances servers, derived from a reusable PBKDF2-based Glances authentication secret. The issue is linked to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-522 (Insufficiently Protected Credentials).
Any network user able to reach the front Glances Browser/API instance can exploit this vulnerability remotely with low complexity and no privileges required. If the instance is started without the `--password` option—a common configuration for internal network deployments—the endpoint remains completely unauthenticated. Attackers can retrieve the reusable credentials for protected downstream Glances servers once they have been polled by the browser instance, enabling high-impact confidentiality and integrity violations such as unauthorized access to those servers.
The Glances project addressed this in version 4.5.2, as detailed in the security advisory (GHSA-r297-p3v4-wp8m), release notes, and fixing commit (879ef8688ffa1630839549751d3c7ef9961d361e). Security practitioners should upgrade to Glances 4.5.2 or later and consider enforcing `--password` authentication on Browser/API instances to mitigate exposure.
Details
- CWE(s)