SB2026031946 - Multiple vulnerabilities in glances

Security Bulletin ID SB2026031946

Severity

High

Patch available

YES

Number of vulnerabilities 8

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2026-32596)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the web server runs without authentication by default when started with "glances -w". A remote attacker can gain unauthorized access to sensitive information on the system.

2) Origin validation error (CVE-ID: CVE-2026-32632)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to origin validation error in REST/WebUI FastAPI application. A remote attacker can gain access to sensitive information on the system.

3) Information disclosure (CVE-ID: CVE-2026-32633)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the /api/4/serverslist endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.

4) Origin validation error (CVE-ID: CVE-2026-32634)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to origin validation error in Central Browser mode with autodiscovery enabled. A remote attacker on the local network can advertise a fake Glances service over Zeroconf to obtain reusable Glances authentication secret.

5) OS Command Injection (CVE-ID: CVE-2026-32608)

The vulnerability allows a local user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within process names in action command templates. A local user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) SQL injection (CVE-ID: CVE-2026-32611)

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data in the DuckDB export module within unparameterized DDL statements. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.

7) Information disclosure (CVE-ID: CVE-2026-32609)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the /api/v4/args endpoint. A remote attacker can gain unauthorized access to sensitive information on the system.

8) Overly permissive cross-domain whitelist (CVE-ID: CVE-2026-32610)

The vulnerability allows a remote attacker to bypass the CORS protection mechanism.

The vulnerability exists due to incorrect processing of the "Origin" HTTP header that is supplied within HTTP request. A remote attacker can supply arbitrary value via the "Origin" HTTP header, bypass implemented CORS protection mechanism and steal system monitoring information, configuration secrets and command line arguments.

Remediation

Install update from vendor's website.

SB2026031946 - Multiple vulnerabilities in glances

Breakdown by Severity

Description

Remediation

References

Please verify you're human