Insecure API Endpoint in Glances Affects Monitoring Tool by Nicolargo
CVE-2026-32633

9.1CRITICAL

Key Information:

Vendor

Nicolargo

Status
Glances
Vendor
CVE Published:
18 March 2026

What is CVE-2026-32633?

Glances, an open-source system monitoring tool developed by Nicolargo, contains a significant vulnerability in its Central Browser mode prior to version 4.5.2. The /api/4/serverslist endpoint can return unprotected server objects that include a uri field exposing HTTP Basic authentication credentials for downstream Glances servers. This occurs if the front Glances Browser/API instance is launched without the --password flag, which is often the case in internal network setups. Consequently, any network user with access to the Browser API can potentially retrieve sensitive credentials for Glances servers, compromising their security. To mitigate this risk, it is crucial to upgrade to version 4.5.2, which resolves this issue.

Affected Version(s)

glances < 4.5.2

References

https://github.com/nicolargo/glances/security/advisories/...
x_refsource_CONFIRM
https://github.com/nicolargo/glances/commit/879ef8688ffa1...
x_refsource_MISC
https://github.com/nicolargo/glances/releases/tag/v4.5.2
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.