CVE-2026-32610
published 2026-03-18CVE-2026-32610: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS…
PriorityP346high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.34%
25.7th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| glances_project | glances | 0 – 4.5.1 | — |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
ghsa8.1HIGH
osv8.1HIGH
vendor_debian8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2026-32610: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
vendor_debian·2026·CVSS 8.1
CVE-2026-32610 [HIGH] CVE-2026-32610: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Scope:
OSV
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
osv·2026-03-30·CVSS 8.1
CVE-2026-33533 [HIGH] Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
### Summary
The Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full proces
GHSA
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
ghsa·2026-03-30·CVSS 8.1
CVE-2026-33533 [HIGH] CWE-942 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
### Summary
The Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full proces
OSV
CVE-2026-32610: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 8.1
CVE-2026-32610 [HIGH] CVE-2026-32610: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
GHSA
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
ghsa·2026-03-16
CVE-2026-32610 [HIGH] CWE-942 Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
## Summary
The Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.
## Details
The CORS configuration is
OSV
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
osv·2026-03-16
CVE-2026-32610 [HIGH] Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
## Summary
The Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.
## Details
The CORS configuration is
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32610 glances: default CORS configuration allows Cross-Origin credential theft [epel-all]
bugzilla·2026-03-18·CVSS 8.1
CVE-2026-32610 [HIGH] CVE-2026-32610 glances: default CORS configuration allows Cross-Origin credential theft [epel-all]
CVE-2026-32610 glances: default CORS configuration allows Cross-Origin credential theft [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This is a standard "trust but verify" notice. It clarifies that while the Security team flags potential risks, the Maintainers are the final authority on whether a bug is a real threat to their specific code. https://www.ultacard.com.co
---
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32610 glances: default CORS configuration allows Cross-Origin credential theft [fedora-all]
bugzilla·2026-03-18·CVSS 8.1
CVE-2026-32610 [HIGH] CVE-2026-32610 glances: default CORS configuration allows Cross-Origin credential theft [fedora-all]
CVE-2026-32610 glances: default CORS configuration allows Cross-Origin credential theft [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Wiz
CVE-2026-32610 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32610 [HIGH] CVE-2026-32610 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32610 :
Python vulnerability analysis and mitigation
allow_origins=["*"]
allow_credentials=True
CORSMiddleware
Origin
Access-Control-Allow-Origin
*
Source : NVD
## 8.1
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 19, 2026
Echo Severity HIGH No Fix Added at: Mar 19, 2026
pip Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 22, 2
2026-03-18
Published