Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
AnalysisAI
Server-Side Request Forgery in Glances IP plugin allows authenticated attackers to force the monitoring application to send HTTP requests to arbitrary internal or external endpoints, with automatic credential leakage when public_username and public_password are configured. The vulnerability affects all versions prior to 4.5.4 and arises from insufficient validation of the public_api configuration parameter. EPSS exploitation probability is low (0.04%, 12th percentile), but SSVC framework confirms proof-of-concept availability and automatable exploitation with partial technical impact. Vendor patch released in version 4.5.4.
Technical ContextAI
Glances is a cross-platform system monitoring tool written in Python that provides real-time performance metrics. The IP plugin supports querying external geolocation APIs via the public_api configuration parameter to enrich IP address information. The vulnerability stems from CWE-918 (Server-Side Request Forgery) - the application passes the public_api value directly to Python's HTTP client (urlopen_auth) without validating URI schemes, hostnames, or IP addresses. This allows attackers to exploit the trust relationship between the Glances server and internal network resources. When public_username and public_password are configured for API authentication, the application automatically constructs an Authorization: Basic header using these credentials and includes them in all outbound requests to the attacker-specified endpoint, resulting in credential disclosure. The affected component is specifically the IP plugin's geolocation lookup functionality, which was intended for legitimate external API services but lacks input sanitization.
RemediationAI
Upgrade to Glances version 4.5.4 or later, which contains input validation fixes preventing arbitrary URL schemes and hostname manipulation in the public_api parameter (patch commit: https://github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fb). Official release available at https://github.com/nicolargo/glances/releases/tag/v4.5.4. If immediate patching is not feasible, implement these compensating controls: disable the IP plugin entirely by removing it from the Glances configuration file (eliminates attack vector but loses geolocation functionality); if IP plugin is required, remove or leave unset the public_api, public_username, and public_password configuration parameters to prevent outbound API requests (loses external geolocation enrichment); restrict write access to Glances configuration files using filesystem permissions to prevent unauthorized modification (reduces attack surface but does not eliminate risk if administrative credentials are compromised). Network-level mitigation: deploy egress filtering to block Glances servers from accessing internal RFC1918 address ranges and cloud metadata endpoints (169.254.169.254, fd00:ec2::254) - this prevents SSRF exploitation of internal services but may break legitimate external API integrations. Each workaround trades functionality for security; full patching to 4.5.4 is strongly recommended.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23990
GHSA-g5pq-48mj-jvw8