Skip to main content

Glances EUVDEUVD-2026-23990

| CVE-2026-35587 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-21 security-advisories@github.com GHSA-g5pq-48mj-jvw8
7.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 23, 2026 - 18:42 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 16:01 EUVD
Analysis Generated
Apr 21, 2026 - 00:37 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 00:22 euvd
EUVD-2026-23990
Analysis Generated
Apr 21, 2026 - 00:22 vuln.today
CVE Published
Apr 21, 2026 - 00:16 nvd
HIGH 7.3

DescriptionGitHub Advisory

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.

AnalysisAI

Server-Side Request Forgery in Glances IP plugin allows authenticated attackers to force the monitoring application to send HTTP requests to arbitrary internal or external endpoints, with automatic credential leakage when public_username and public_password are configured. The vulnerability affects all versions prior to 4.5.4 and arises from insufficient validation of the public_api configuration parameter. EPSS exploitation probability is low (0.04%, 12th percentile), but SSVC framework confirms proof-of-concept availability and automatable exploitation with partial technical impact. Vendor patch released in version 4.5.4.

Technical ContextAI

Glances is a cross-platform system monitoring tool written in Python that provides real-time performance metrics. The IP plugin supports querying external geolocation APIs via the public_api configuration parameter to enrich IP address information. The vulnerability stems from CWE-918 (Server-Side Request Forgery) - the application passes the public_api value directly to Python's HTTP client (urlopen_auth) without validating URI schemes, hostnames, or IP addresses. This allows attackers to exploit the trust relationship between the Glances server and internal network resources. When public_username and public_password are configured for API authentication, the application automatically constructs an Authorization: Basic header using these credentials and includes them in all outbound requests to the attacker-specified endpoint, resulting in credential disclosure. The affected component is specifically the IP plugin's geolocation lookup functionality, which was intended for legitimate external API services but lacks input sanitization.

RemediationAI

Upgrade to Glances version 4.5.4 or later, which contains input validation fixes preventing arbitrary URL schemes and hostname manipulation in the public_api parameter (patch commit: https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb). Official release available at https://github.com/nicolargo/glances/releases/tag/v4.5.4. If immediate patching is not feasible, implement these compensating controls: disable the IP plugin entirely by removing it from the Glances configuration file (eliminates attack vector but loses geolocation functionality); if IP plugin is required, remove or leave unset the public_api, public_username, and public_password configuration parameters to prevent outbound API requests (loses external geolocation enrichment); restrict write access to Glances configuration files using filesystem permissions to prevent unauthorized modification (reduces attack surface but does not eliminate risk if administrative credentials are compromised). Network-level mitigation: deploy egress filtering to block Glances servers from accessing internal RFC1918 address ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) - this prevents SSRF exploitation of internal services but may break legitimate external API integrations. Each workaround trades functionality for security; full patching to 4.5.4 is strongly recommended.

Vendor StatusVendor

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-23990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy