Detections
Analytics

CVE-2026-32634

high

Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

References

https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm

https://github.com/nicolargo/glances/releases/tag/v4.5.2

https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5

Details

Source: Mitre, NVD

Published: 2026-03-18

Updated: 2026-03-19

Risk Information

CVSS v2

Base Score: 7.8

Vector: CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:N

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.00008