Nixpkgs Security Tracker

Untriaged

Permalink CVE-2026-32634

8.1 HIGH

CVSS version: 3.1
Attack vector (AV): ADJACENT_NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): HIGH
Integrity impact (I): HIGH
Availability impact (A): NONE

created 3 days, 22 hours ago

Glances Central Browser Autodiscovery Leaks Reusable Credentials to Zeroconf-Spoofed Servers

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.

References

https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm x_refsource_CONFIRM
https://github.com/nicolargo/glances/commit/61d38eec521703e41e4933d18d5a5ef6f854abd5 x_refsource_MISC
https://github.com/nicolargo/glances/releases/tag/v4.5.2 x_refsource_MISC
https://github.com/nicolargo/glances/security/advisories/GHSA-vx5f-957p-qpvm exploit

Affected products

glances

==< 4.5.2

Matching in nixpkgs

pkgs.glances

Cross-platform curses-based monitoring tool

nixos-unstable 4.5.0.5
- nixpkgs-unstable 4.5.0.5
- nixos-unstable-small 4.5.0.5
nixos-25.11 4.3.3
- nixos-25.11-small 4.3.3
- nixpkgs-25.11-darwin 4.3.3