Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-35587— Glances IP Plugin has SSRF via public_api that leads to credential leakage

EPSS 0.02% · P5
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35587

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Glances IP Plugin has SSRF via public_api that leads to credential leakage
Source: NVD (National Vulnerability Database)
Vulnerability Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary internal or external endpoints. Additionally, when public_username and public_password are set, Glances automatically includes these credentials in the Authorization: Basic header, resulting in credential leakage to attacker-controlled servers. This vulnerability can be exploited to access internal network services, retrieve sensitive data from cloud metadata endpoints, and/or exfiltrate credentials via outbound HTTP requests. The issue arises because public_api is passed directly to the HTTP client (urlopen_auth) without validation, allowing unrestricted outbound connections and unintended disclosure of sensitive information. Version 4.5.4 contains a patch.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
glances 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
glances是Nicolas Hennion个人开发者的一款系统监测工具。 glances 4.5.4之前版本存在代码问题漏洞,该漏洞源于IP插件对public_api配置参数验证不当,可能导致服务端请求伪造和凭据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
nicolargoglances < 4.5.4 -

II. Public POCs for CVE-2026-35587

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-35587

登录查看更多情报信息。

Same Patch Batch · nicolargo · 2026-04-20 · 3 CVEs total

CVE-2026-355886.3 MEDIUMGlances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values
CVE-2026-34839Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/a

IV. Related Vulnerabilities

Same product: glances
Same vendor: nicolargo
Same weakness: CWE-918

V. Comments for CVE-2026-35587

No comments yet

Leave a comment