CVE-2026-46608 - Vulnerability Details

Description

Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.

Published: 2026-06-25

Score: 7.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The Glances XML‑RPC server contains a CORS origin list that is intended to restrict browser access to a set of origins. However, the implementation silently falls back to Access‑Control‑Allow‑Origin: * whenever multiple origins are configured. As a result, an attacker can load a malicious web page from any origin and issue a CORS simple request to the /RPC2 endpoint, reading the full system monitoring data without the victim’s knowledge. This leads to remote information disclosure of sensitive system metrics. The weakness is related to improper handling of HTTP header values (CWE‑183) and exposure of data to other origins (CWE‑942).

Affected Systems

The vulnerability affects the Glances monitoring tool produced by nicolargo. Any version earlier than 4.5.5 is vulnerable, including 4.5.0 through 4.5.4. The XML‑RPC server must be running with a multi‑origin configuration to trigger the fallback.

Risk and Exploitability

The CVSS score of 7.4 indicates a high severity. EPSS is not reported, so the known exploitation probability remains uncertain, though the lack of KEV listing suggests no major public exploitation yet. The typical attack requires only a browser running on the victim system; an attacker can simply serve a malicious page from any domain and send a CORS request to /RPC2. Because the system responds with a wildcard origin, the browser accepts the response, providing the attacker with full monitoring data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nicolargo

glances

affected

Version	Status	Constraints
`< 4.5.5`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Glances to version 4.5.5 or later, which removes the faulty CORS handling.
If an upgrade is not possible immediately, configure the XML‑RPC server to use only a single allowed origin in cors_origins, thereby preventing the fallback to *.
Consider disabling the XML‑RPC server altogether or blocking its access via a firewall or reverse proxy until a patch can be applied.

Generated by OpenCVE AI on June 25, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-87qc-fj39-wccr	Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/nicolargo/glances/releases/tag/v4.5.5
https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr

History

Thu, 25 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description		Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
Title		Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
Weaknesses		CWE-183 CWE-942
References		https://github.com/nicolargo/glances/releases/tag/v4.5.5 https://github.com/nicolargo/glances/security/advisories/GHSA-87qc-fj39-wccr
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T18:05:48.123Z

Updated: 2026-06-25T18:05:48.123Z

Reserved: 2026-05-15T19:34:14.011Z

Link: CVE-2026-46608

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T19:30:15Z

Weaknesses

CWE-183
Permissive List of Allowed Inputs
CWE-942
Permissive Cross-domain Security Policy with Untrusted Domains

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object