CVE-2026-34839
Received Received - Intake
CORS Vulnerability in Glances REST API Enables Data Exfiltration

Publication date: 2026-04-21

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34839
EUVD
EUVD-2026-23986
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34839 is a high-severity vulnerability in the Glances system monitoring tool that affects its web server REST API prior to version 4.5.4. The REST API endpoint (/api/4/*) is accessible without authentication and implements a permissive Cross-Origin Resource Sharing (CORS) policy by setting the HTTP header Access-Control-Allow-Origin to '*'. This allows any website to make cross-origin requests to the API from a victim's browser and read sensitive system information exposed by Glances.

Because of this misconfiguration, a malicious website can use JavaScript to fetch detailed system data such as running processes, system details (hostname, OS, CPU info), memory and disk usage, network interfaces, IP addresses, and running services from the victim's Glances instance without their consent.

This vulnerability enables cross-origin data exfiltration of sensitive information, facilitating unauthorized disclosure and potential further attacks. The issue was fixed in Glances version 4.5.4 by restricting CORS permissions.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive system information from a Glances instance running on your system. An attacker can exploit the permissive CORS policy to read detailed data such as running processes, system configuration, network interfaces, IP addresses, and resource usage remotely through a victim's browser.

The exposed information can be used by attackers to perform reconnaissance, identify potential weaknesses, and plan targeted attacks against your system or network.

Since the API is unauthenticated and accessible by default, any user visiting a malicious website could unknowingly leak sensitive system data, increasing the risk of compromise.

Detection Guidance

This vulnerability can be detected by checking if the Glances monitoring tool is running in web mode and exposing the unauthenticated REST API endpoint at port 61208, specifically the path /api/4/all.

You can test this by sending an HTTP request to the endpoint and inspecting the response headers and content.

  • Use curl to check the API endpoint and CORS headers: curl -i http://<host>:61208/api/4/all
  • Look for the HTTP header Access-Control-Allow-Origin: * which indicates a permissive CORS policy.
  • Verify if the response contains sensitive system information such as process lists, system details, memory usage, network interfaces, and running services.
Mitigation Strategies

The immediate mitigation step is to upgrade Glances to version 4.5.4 or later, where the vulnerability has been patched by restricting the CORS permissions on the REST API.

If upgrading is not immediately possible, consider disabling the web server mode of Glances or restricting network access to the API port (61208) to trusted hosts only.

Additionally, avoid running Glances with the web server bound to all interfaces (0.0.0.0) to reduce exposure.

Compliance Impact

The vulnerability in Glances allows unauthorized cross-origin access to sensitive system information without authentication, leading to potential exposure of sensitive data.

Such unauthorized disclosure of sensitive information can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and ensuring confidentiality.

By exposing system details, process lists, network configurations, and other sensitive metrics to any origin via a permissive CORS policy, this vulnerability increases the risk of data breaches and unauthorized data exfiltration, which are critical compliance concerns under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart