Can you explain this vulnerability to me?

CVE-2026-33533 is a high-severity vulnerability in the Glances system monitoring tool's XML-RPC server component, which is activated by running glances with server mode options. The vulnerability occurs because the server sends the HTTP header Access-Control-Allow-Origin: * on every response, allowing any origin to access the data via Cross-Origin Resource Sharing (CORS).

Additionally, the server does not validate the Content-Type header of incoming requests and processes XML-RPC payloads even if the Content-Type is set to text/plain. This allows an attacker-controlled webpage to issue a CORS "simple request" (a POST request with Content-Type: text/plain) containing a valid XML-RPC payload.

Since browsers treat such requests as simple requests, no CORS preflight OPTIONS request is sent, and the server processes the XML payload normally. The wildcard CORS header then allows the attacker's JavaScript to read the full response, which includes comprehensive system monitoring data such as hostname, OS version, IP addresses, CPU, memory, disk, network stats, and the full process list including command lines.

These command lines often contain sensitive information like tokens, passwords, or internal paths. The vulnerability affects all Glances versions prior to 4.5.3 and has been patched in version 4.5.3 by restricting the CORS wildcard to prevent unauthorized cross-origin access.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Glances XML-RPC server allows unauthorized exfiltration of detailed system monitoring data, including hostname, OS version, IP addresses, CPU/memory/disk/network stats, and full process lists with command lines that may contain sensitive information such as tokens and passwords.

Such unauthorized disclosure of sensitive system and potentially personal data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and disclosure.

Because the vulnerability enables remote attackers to access sensitive system information without authentication or user interaction, organizations using vulnerable versions of Glances in server mode may face increased risk of data breaches and regulatory violations.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows an attacker to remotely and silently exfiltrate the entire system monitoring dataset from a Glances server running in server mode on a network-accessible interface.

An attacker can exploit this by hosting a malicious webpage that issues a cross-origin POST request to the vulnerable Glances XML-RPC server, retrieving sensitive system information without any user interaction beyond visiting the page.

• Exposure of hostname and operating system version.
• Disclosure of IP addresses and network statistics.
• Access to CPU, memory, disk usage statistics.
• Full process list including command lines, which may contain tokens, passwords, or internal file paths.

Such detailed system information disclosure can lead to further compromise, including unauthorized access or exploitation of other vulnerabilities.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if the Glances XML-RPC server is running and responding to cross-origin POST requests with the header Access-Control-Allow-Origin set to "*". Specifically, you can test if the server accepts POST requests with Content-Type: text/plain containing XML-RPC payloads and returns system monitoring data.

Proof-of-concept exploits include a Python script that sends a POST request with Content-Type: text/plain containing an XML-RPC getAll method call to the target Glances XML-RPC server, and browser-based JavaScript that performs a cross-origin fetch to extract system information.

Suggested commands to detect the vulnerability include sending a POST request with a valid XML-RPC payload and Content-Type: text/plain to the Glances server endpoint (usually on the port where glances -s or glances --server is running) and observing if the response includes system monitoring data along with the Access-Control-Allow-Origin: * header.

• Use curl to send a test POST request with Content-Type: text/plain and an XML-RPC payload, for example: curl -X POST http://<glances-server-ip>:<port>/ -H "Content-Type: text/plain" --data '<methodCall><methodName>getAll</methodName><params></params></methodCall>' -v
• Check HTTP response headers for Access-Control-Allow-Origin: *
• Look for system monitoring data in the response body, such as hostname, OS version, CPU/memory stats, and process list.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Glances to version 4.5.3 or later, where the vulnerability CVE-2026-33533 has been patched by restricting the wildcard CORS setting in the XML-RPC server.

If upgrading is not immediately possible, you should configure the Glances server to restrict CORS origins instead of allowing all origins with "*". This can be done by setting the `cors_origins` option in the Glances configuration file (`glances.conf`) under the `[outputs]` section to a specific, trusted origin or origins.

Additionally, enable authentication on the Glances XML-RPC server by setting a password to prevent unauthorized access.

Avoid running the Glances XML-RPC server on publicly accessible interfaces or networks where untrusted users can connect.

• Upgrade Glances to version 4.5.3 or later.
• Set `cors_origins` in `glances.conf` to restrict allowed CORS origins.
• Enable authentication by setting a password for the XML-RPC server.
• Limit network exposure of the Glances server.

Useful 0 Not Useful 0