EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Glances monitoring tool, versions prior to 4.5.4. These vulnerabilities include Server-Side Request Forgery (SSRF) and cross-origin information disclosure. The SSRF vulnerability allows an attacker to force the application to send requests to arbitrary internal or external endpoints, potentially leading to credential leakage. The cross-origin information disclosure vulnerability exposes sensitive system information to unauthorized actors. Both vulnerabilities pose a significant risk to businesses, allowing attackers to access internal network services, retrieve sensitive data, and exfiltrate credentials. This highlights the importance of timely patching and secure configuration practices. The impact of these vulnerabilities can be severe, including unauthorized data access, disruption of critical services, and reputational damage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the Glances monitoring tool, versions prior to 4.5.4. These vulnerabilities include Server-Side Request Forgery (SSRF) and cross-origin information disclosure. The SSRF vulnerability allows an attacker to force the application to send requests to arbitrary internal or external endpoints, potentially leading to credential leakage. The cross-origin information disclosure vulnerability exposes sensitive system information to unauthorized actors. Both vulnerabilities pose a significant risk to businesses, allowing attackers to access internal network services, retrieve sensitive data, and exfiltrate credentials. This highlights the importance of timely patching and secure configuration practices. The impact of these vulnerabilities can be severe, including unauthorized data access, disruption of critical services, and reputational damage.[emaillocker id="1283"]
CVE-2026-35587 with a CVSS score of 7.5 – A Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. This allows an attacker to force the application to send requests to arbitrary internal or external endpoints, potentially leading to credential leakage.
CVE-2026-34839 with a CVSS score of 7.5 – The Glances web server exposes a REST API that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy. This allows a malicious website to read sensitive system information from a running Glances instance in the victim's browser, leading to cross-origin data exfiltration. The identified vulnerabilities in the Glances monitoring tool pose a significant risk to businesses, allowing attackers to access internal network services, retrieve sensitive data, and exfiltrate credentials.
These risks can lead to unauthorized data access, disruption of critical services, and reputational damage. It is crucial to address these vulnerabilities promptly to prevent potential exploitation.
RECOMMENDATION:
We recommend you to update pip/glances to version 4.5.4.
REFERENCES:
The following
reports contain further technical details:
https://github.com/advisories/GHSA-g5pq-48mj-jvw8
https://github.com/advisories/GHSA-gfc2-9qmw-w7vh