Cyber Posture

CVE-2026-35587

HighPublic PoC

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 4.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35587 is a high-severity SSRF (CWE-918) vulnerability in Nicolargo Glances. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the SSRF flaw by patching Glances to version 4.0.4 or later, which adds validation for the public_api parameter to prevent arbitrary outbound requests.

SI-10 Information Input Validation good match
prevent

Mandates validation of information inputs like the public_api configuration parameter to block SSRF by enforcing scheme restrictions and hostname/IP validation before outbound HTTP requests.

CM-5 Access Restrictions for Change good match
prevent

Enforces strict access restrictions on changes to Glances configuration, preventing low-privileged attackers from modifying public_api to trigger SSRF exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
attack.mitre.org →
T1567 Exfiltration Over Web Service Exfiltration
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.
attack.mitre.org →
Why these techniques?

SSRF in public-facing Glances app directly enables T1190; explicit support for cloud metadata access maps to T1552.005; credential leakage via attacker-controlled HTTP endpoint maps to T1567.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly…

more

in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.

Deeper analysisAI

CVE-2026-35587 is a Server-Side Request Forgery (SSRF) vulnerability in the IP plugin of Glances, an open-source cross-platform system monitoring tool. The issue affects versions prior to 4.0.4 and stems from improper validation of the public_api configuration parameter, which is used directly in outbound HTTP requests via the urlopen_auth function without scheme restrictions or hostname/IP validation. This allows unrestricted connections to arbitrary endpoints. Additionally, if public_username and public_password are configured, these credentials are automatically included in the Authorization: Basic header, enabling leakage to attacker-controlled servers.

An attacker with the ability to modify the Glances configuration, requiring low privileges as indicated by the CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), can exploit this to force the application to issue requests to internal network services or external endpoints. Potential impacts include accessing sensitive internal resources, retrieving data from cloud metadata endpoints, and exfiltrating credentials through outbound HTTP requests to attacker servers, resulting in high confidentiality, integrity, and availability impacts (CWE-918).

The GitHub security advisory (GHSA-g5pq-48mj-jvw8) and associated patch commit (d6808be66728956477cc4b544bab1acd71ac65fb) confirm that upgrading to Glances version 4.0.4 resolves the vulnerability by addressing the lack of validation in the public_api handling. Security practitioners should review configurations for exposed public_api settings and ensure timely patching to prevent exploitation.

Details

CWE(s)
CWE-918

Affected Products

nicolargo
glances
≤ 4.5.4

CVEs Like This One

CVE-2026-30930Same product: Nicolargo Glances
CVE-2026-32611Same product: Nicolargo Glances
CVE-2026-32610Same product: Nicolargo Glances
CVE-2026-30928Same product: Nicolargo Glances
CVE-2026-32633Same product: Nicolargo Glances
CVE-2026-32609Same product: Nicolargo Glances
CVE-2026-32596Same product: Nicolargo Glances
CVE-2026-33641Same product: Nicolargo Glances
CVE-2026-32634Same product: Nicolargo Glances
CVE-2025-54122Shared CWE-918

References