Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
Published: 2026-04-02
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Cross‑Origin System Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

Glances is an open‑source system monitoring tool. The XML‑RPC server, activated with glances -s or glances --server, incorrectly advertises a wildcard CORS header. Because the handler does not check the Content‑Type, a malicious web page can send a simple POST request with Content‑Type: text/plain containing a valid XML‑RPC payload. The browser does not perform a preflight check, the server processes the payload and returns the complete monitoring data, and the wildcard CORS header allows the attacker's JavaScript to read the response. The exposed data includes hostname, OS version, IP addresses, CPU, memory, disk, network statistics and the full process list with command lines that often contain secrets.

Affected Systems

The affected vendor is nicolargo, product Glances. Any installation of Glances that runs the XML‑RPC server feature and uses a version older than 4.5.3 is vulnerable. Versions 4.5.3 and newer include the fix.

Risk and Exploitability

The CVSS score of 7.1 reflects moderate to high severity; no EPSS data is available and the vulnerability is not flagged in CISA’s KEV catalog. The likely attack vector is a browser‑based webpage controlled by an attacker that the victim visits while connected to the vulnerable Glances server. Because authentication is not required, any host that can reach the XML‑RPC endpoint can retrieve the full system state, potentially leaking credentials or other sensitive information.

Generated by OpenCVE AI on April 2, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.3 or later
  • If upgrading is not possible, disable the XML‑RPC server by removing the -s/--server option or binding it to localhost
  • Restrict network access to the Glances XML‑RPC port using firewall rules

Generated by OpenCVE AI on April 2, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7p93-6934-f4q7 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Thu, 02 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
Title Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Weaknesses CWE-942
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T18:48:01.060Z

Reserved: 2026-03-20T18:05:11.831Z

Link: CVE-2026-33533

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-02T15:16:39.390

Modified: 2026-04-02T15:16:39.390

Link: CVE-2026-33533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:20:16Z

Weaknesses