Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
Published: 2026-04-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Origin System Information Disclosure
Action: Patch Now
AI Analysis

Impact

Glances by nicolargo includes an XML‑RPC server that, when enabled with glances -s or glances --server, emits an Access‑Control‑Allow‑Origin: * header on every response without validating the Content‑Type of incoming requests. An attacker can craft a simple POST request with a text/plain Content‑Type and a valid XML‑RPC payload. The victim’s browser forwards the request and, because the response carries the wildcard CORS header, the attacker’s JavaScript can read the returned data. The data set contains hostname, operating system, network interfaces, CPU, memory, storage, and the full list of processes with command arguments, which often include secrets. The flaw is identified as CWE‑942 and allows remote disclosure of comprehensive system state.

Affected Systems

All nicolargo Glances releases prior to 4.5.3 that run the XML‑RPC server are affected. The vulnerability exists whenever the XML‑RPC mode is enabled, meaning any instance of the tool operating in server mode is at risk.

Risk and Exploitability

The CVSS v3.1 score of 7.1 indicates high severity, while an EPSS estimate of less than 1% suggests limited current exploitation activity. The issue does not appear in the CISA KEV catalog. The likely attack vector, inferred from the description, is a browser‑based exploit where an attacker hosts a malicious web page that issues a CORS‑enabled POST to the vulnerable endpoint; the victim’s browser will forward the request and grant the attacker access to the sensitive data.

Generated by OpenCVE AI on April 7, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.3 or newer.
  • If the XML‑RPC server is not required, disable the server mode to eliminate the vulnerable endpoint.

Generated by OpenCVE AI on April 7, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7p93-6934-f4q7 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
History

Tue, 07 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
Title Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Weaknesses CWE-942
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:48:01.060Z

Reserved: 2026-03-20T18:05:11.831Z

Link: CVE-2026-33533

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:39.390

Modified: 2026-04-07T15:01:52.177

Link: CVE-2026-33533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:55:42Z

Weaknesses