Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
Published: 2026-04-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Origin Data Exfiltration via Unauthenticated REST API
Action: Patch Immediately
AI Analysis

Impact

Glances is an open-source system monitoring tool that exposes a REST API at /api/4/* Before version 4.5.4, the web server allows unauthenticated access to this API and implements a permissive CORS policy (Access‑Control‑Allow‑Origin: *) which lets any origin send cross‑origin requests An attacker can use a malicious web page to read sensitive machine data from a Glances instance running on the victim’s browser, allowing cross‑origin data exfiltration The flaw is a confidentiality breach (CWE‑200) that can occur without authentication and primarily leaks system information such as process, network, and CPU statistics

Affected Systems

The vulnerability affects all editions of Glances provided by nicolargo. Versions earlier than 4.5.4 are vulnerable; Glances 4.5.4 and later contain the patch that removes the unauthenticated REST endpoints and tightens the CORS policy

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity for confidentiality impact. EPSS data is not available, and the vulnerability is not currently listed in CISA KEV. Exfiltration can be performed simply by hosting a malicious page and having a user visit the page while the Glances instance is reachable from the victim's network. Authentication is not required, and the permissive CORS header allows the browser to read the API response, making exploitation straightforward for an active web attacker.

Generated by OpenCVE AI on April 21, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.4 or later to remove the vulnerable REST endpoints and apply a restrictive CORS policy
  • If an upgrade is not immediately possible, restrict network access to the Glances web UI or bind the service to a loopback interface so it is not exposed to the public network
  • Configure the CORS header to allow only trusted origins or disable CORS entirely for the REST API endpoints
  • Enable authentication on the Glances web interface to prevent unauthenticated access to the API

Generated by OpenCVE AI on April 21, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfc2-9qmw-w7vh Glances: Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
History

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Mon, 20 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
Title Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
Weaknesses CWE-200
CWE-306
CWE-942
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:37:42.399Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34839

cve-icon Vulnrichment

Updated: 2026-04-21T19:37:39.723Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T00:16:27.910

Modified: 2026-04-24T19:09:23.017

Link: CVE-2026-34839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T15:37:55Z

Weaknesses