CVE-2026-32634

CVE-2026-32634 is a high-severity vulnerability in Nicolargo Glances with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-346.

Key facts

Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

Frequently asked questions

What is CVE-2026-32634?
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.
How severe is CVE-2026-32634?
CVE-2026-32634 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over an adjacent network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
Is CVE-2026-32634 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-32634?
CVE-2026-32634 affects Nicolargo Glances. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-32634?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
Does CVE-2026-32634 have an EU (EUVD) identifier?
Yes. CVE-2026-32634 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-12928.
When was CVE-2026-32634 published?
CVE-2026-32634 was published on 2026-03-18 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Nicolargo Glances

All CVEs affecting Nicolargo Glances →

Other CWE-346 vulnerabilities

Browse all CWE-346 vulnerabilities →