CVE-2026-35587
Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
glancesPyPI | < 4.5.4 | 4.5.4 |
Affected products
1Patches
1d6808be66728SSRF in Glances IP Plugin via public_api leads to credential leakage - Correct CVE-2026-35587
1 file changed · +17 −1
glances/plugins/ip/__init__.py+17 −1 modified@@ -9,6 +9,8 @@ """IP plugin.""" import threading +from urllib.parse import urlparse +from urllib.request import Request, urlopen from glances.globals import get_ip_address, json_loads, urlopen_auth from glances.logger import logger @@ -71,6 +73,17 @@ def __init__(self, args=None, config=None): or self.public_api is None or self.public_field is None ) + + # Defence-in-depth: validate URL scheme to prevent SSRF via config + if not self.public_disabled and self.public_api: + parsed = urlparse(self.public_api) + if parsed.scheme not in ('http', 'https'): + logger.warning( + f"IP plugin - public_api uses forbidden scheme '{parsed.scheme}://', " + "only http:// and https:// are allowed. Public IP disabled." + ) + self.public_disabled = True + self.public_address_refresh_interval = self.get_conf_value( "public_refresh_interval", default=self._default_public_refresh_interval ) @@ -258,7 +271,10 @@ def run(self): def _fetch_public_ip_info(self): """Fetch public IP information from the configured API.""" try: - response = urlopen_auth(self.url, self.username, self.password, self.timeout).read() + if self.username and self.password: + response = urlopen_auth(self.url, self.username, self.password, self.timeout).read() + else: + response = urlopen(Request(self.url), timeout=self.timeout).read() return json_loads(response) except Exception as e: logger.debug(f"IP plugin - Cannot get public IP information from {self.url} ({e})")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/nicolargo/glances/commit/d6808be66728956477cc4b544bab1acd71ac65fbnvdPatchWEB
- github.com/nicolargo/glances/security/advisories/GHSA-g5pq-48mj-jvw8nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-g5pq-48mj-jvw8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35587ghsaADVISORY
- github.com/nicolargo/glances/releases/tag/v4.5.4ghsaWEB
News mentions
1- Face value: What it takes to fool facial recognitionESET WeLiveSecurity · Mar 13, 2026