Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Published: 2026-03-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data theft via credentialed cross-origin requests
Action: Immediate Patch
AI Analysis

Impact

Glances ships with a default Cross-Origin Resource Sharing configuration that allows any origin to send requests with credentials. Because the server sets allow_origins to accept all origins while also enabling allow_credentials, the middleware reflects the Origin header back to the client instead of returning a wildcard. This flaw permits a malicious website to issue authenticated API calls to the Glances REST interface, leaking sensitive monitoring data, configuration secrets, and command line arguments from any user who has an active browser session. The weakness is a CORS misconfiguration (CWE‑942) that compromises confidentiality.

Affected Systems

The issue affects the open‑source Glances monitoring tool developed by nicolargo. Versions prior to 4.5.2 are vulnerable; the safest version to run is 4.5.2 or newer where the bug is fixed.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score of less than 1% suggests that real‑world exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, any web page accessed by a user with an authenticated Glances session can initiate malicious requests, making the risk of data theft significant in environments where the Glances server is reachable from untrusted networks or publicly exposed. The attack vector is mainly web‑browser based, requiring an active session through standard authentication mechanisms.

Generated by OpenCVE AI on March 21, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.2 or later to receive the corrected CORS configuration
  • If an upgrade is delayed, immediately disable the "allow_credentials" option or re‑configure the CORS policy to allow only trusted origins
  • Restrict network access to the Glances REST API so it is reachable only from trusted hosts or behind a VPN
  • Monitor API logs for unusual cross‑origin requests and invalidate compromised credentials
  • Verify that no other configurations expose the API to the public internet

Generated by OpenCVE AI on March 21, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9jfm-9rc6-2hfq Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
History

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Title Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
Weaknesses CWE-942
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T16:59:40.327Z

Reserved: 2026-03-12T14:54:24.270Z

Link: CVE-2026-32610

cve-icon Vulnrichment

Updated: 2026-03-18T16:59:34.494Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T17:16:06.947

Modified: 2026-03-21T00:16:56.353

Link: CVE-2026-32610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:32Z

Weaknesses