Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32610 is a high-severity vulnerability in the Glances REST API web server, which is a cross-platform system monitoring tool. The issue arises from its default Cross-Origin Resource Sharing (CORS) configuration prior to version 4.5.2, where the server allows all origins ("*") and also allows credentials to be sent with cross-origin requests.'}, {'type': 'paragraph', 'content': 'Normally, browsers do not send credentials when the Access-Control-Allow-Origin header is set to "*". However, due to the way Starlette\'s CORSMiddleware works, when both allow_origins=["*"] and allow_credentials=True are set, the server reflects the requesting origin in the Access-Control-Allow-Origin header instead of using the wildcard. This behavior effectively allows any website to make credentialed cross-origin API requests to the Glances server.'}, {'type': 'paragraph', 'content': 'As a result, malicious websites can steal sensitive data such as system monitoring information, configuration secrets, and command line arguments from users who have an active browser session with Glances. This vulnerability was fixed in version 4.5.2 by changing the default CORS configuration to disable credentials unless specific origins are set.'}] [2, 1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts including unauthorized data theft and potential manipulation of system monitoring data.

• Malicious websites can steal sensitive system monitoring data such as process lists, CPU, memory, disk, and network statistics.
• Attackers can access configuration secrets like database passwords and API keys.
• Command line arguments, which may contain password hashes and SNMP credentials, can be exposed.
• If Glances is running without a password, attackers can access data without any authentication.
• Even with password authentication, attackers can exploit cached Basic Auth credentials in the browser to perform cross-origin requests.
• Attackers can perform network reconnaissance by probing internal IP addresses for Glances instances.
• The vulnerability allows POST requests, enabling attackers to clear event logs or modify process monitoring data via API endpoints.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the CORS headers returned by the Glances REST API web server. Specifically, you should check if the server reflects the Origin header in the Access-Control-Allow-Origin response header while also allowing credentials.'}, {'type': 'paragraph', 'content': 'One way to detect this is to send a cross-origin request with credentials and observe the response headers.'}, {'type': 'list_item', 'content': 'Use curl to send a request with an Origin header and check the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers. For example:'}, {'type': 'list_item', 'content': 'curl -H "Origin: http://malicious.example.com" -I http://your-glances-server:61208/api/4/all'}, {'type': 'list_item', 'content': 'Check if the response includes Access-Control-Allow-Origin with the value of the Origin header (e.g., http://malicious.example.com) and Access-Control-Allow-Credentials: true.'}, {'type': 'paragraph', 'content': 'If these headers are present as described, the vulnerable CORS configuration is active.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation steps involve updating the Glances configuration to disable credentialed CORS requests unless explicitly required and restricting allowed origins.'}, {'type': 'list_item', 'content': 'Update Glances to version 4.5.2 or later, where the default CORS configuration has been fixed.'}, {'type': 'list_item', 'content': 'Modify the configuration files (e.g., glances.conf and docker-compose/glances.conf) to set the parameter `cors_credentials` to `False` unless you explicitly configure `cors_origins` with specific trusted origins.'}, {'type': 'list_item', 'content': 'Avoid using wildcard `allow_origins=["*"]` with `allow_credentials=True`.'}, {'type': 'list_item', 'content': 'Restrict allowed HTTP methods to reduce attack surface, for example, limit to `GET` instead of allowing all methods.'}, {'type': 'paragraph', 'content': 'These steps reduce the risk of cross-origin credential leakage and prevent unauthorized cross-origin API requests.'}] [1, 2]

Useful 0 Not Useful 0