CVE-2026-33533
published 2026-04-02CVE-2026-33533: Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances…
PriorityP338medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.41%
32.7th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.3.2+dfsg-1 (forky) | glances 4.5.3.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.3.2+dfsg-1 | 4.5.3.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.5 | 4.5.5 |
| glances_project | glances | 0 – 4.5.1 | — |
| nicolargo | glances | < 4.5.5 | 4.5.5 |
| nicolargo | glances | < 4.5.3 | 4.5.3 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
ghsa8.1HIGH
osv8.1HIGH
vendor_debian7.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
ghsa·2026-06-22·CVSS 6.5
CVE-2026-46608 [MEDIUM] CWE-183 Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
### Summary
The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard — the same exposure that the original CVE described. A malicious web page served from any origin can issue a CORS simple request to `/RPC2` and read the full system monitoring dataset without the victim's knowledge.
GHSA
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
ghsa·2026-06-22·CVSS 5.9
CVE-2026-46611 [MEDIUM] CWE-346 Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
### Summary
The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP server has had equivalent protection since 4.5.1. The XML-RPC server received neither fix and has no `allowed-hosts` configuration key. Combined with the unrestricted `Access-Control-Allow-Origin: *` header (see companion advisory for CVE-2026-33533 and its incomplete fix), an attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser.
---
### Details
**Affected component:** `glanc
OSV
CVE-2026-33533: (Glances is an open-source system cross-platform monitoring tool
osv·2026-04-03·CVSS 7.1
CVE-2026-33533 [HIGH] CVE-2026-33533: (Glances is an open-source system cross-platform monitoring tool
(Glances is an open-source system cross-platform monitoring tool. Prior ...)
OSV
CVE-2026-33533: Glances is an open-source system cross-platform monitoring tool
osv·2026-04-02·CVSS 7.1
CVE-2026-33533 [HIGH] CVE-2026-33533: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including comman
OSV
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
osv·2026-03-30·CVSS 8.1
CVE-2026-33533 [HIGH] Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
### Summary
The Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full proces
GHSA
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
ghsa·2026-03-30·CVSS 8.1
CVE-2026-33533 [HIGH] CWE-942 Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
Glances Vulnerable to Cross-Origin System Information Disclosure via XML-RPC Server CORS Wildcard
### Summary
The Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full proces
Debian
CVE-2026-33533: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
vendor_debian·2026·CVSS 7.1
CVE-2026-33533 [HIGH] CVE-2026-33533: glances - Glances is an open-source system cross-platform monitoring tool. Prior to versio...
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including comman
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-46608 rtklib: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) [epel-all]
bugzilla·2026-06-29·CVSS 6.5
CVE-2026-46608 [MEDIUM] CVE-2026-46608 rtklib: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) [epel-all]
CVE-2026-46608 rtklib: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two int
Bugzilla
CVE-2026-46608 rtklib: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) [fedora-all]
bugzilla·2026-06-29·CVSS 6.5
CVE-2026-46608 [MEDIUM] CVE-2026-46608 rtklib: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) [fedora-all]
CVE-2026-46608 rtklib: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533) [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two i
Bugzilla
CVE-2026-46608 glances: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
bugzilla·2026-06-25·CVSS 6.5
CVE-2026-46608 [MEDIUM] CVE-2026-46608 glances: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
CVE-2026-46608 glances: Glances: XML-RPC Multi-Origin CORS Configuration Silently Falls Back to Wildcard (Incomplete Fix for CVE-2026-33533)
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset
Wiz
CVE-2026-33533 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33533 [HIGH] CVE-2026-33533 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33533 :
Python vulnerability analysis and mitigation
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/me
2026-04-02
Published