CVE-2026-46608
Deferred Deferred - Pending Action
Glances XML-RPC Server CORS Misconfiguration Exposes System Data

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-46608
EUVD
EUVD-2026-39522
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
glances glances to 4.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-183 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses.
CWE-942 The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Glances system monitoring tool's XML-RPC server prior to version 4.5.5. The server introduced a configurable CORS origin list in version 4.5.3 to mitigate a previous vulnerability. However, if the operator configures the CORS allowlist with more than one origin, the implementation incorrectly falls back to allowing all origins (Access-Control-Allow-Origin: *).

As a result, a malicious web page from any origin can send a CORS request to the /RPC2 endpoint and read the full system monitoring data without the user's knowledge, bypassing the intended restrictions.

This issue was fixed in Glances version 4.5.5.

Impact Analysis

The vulnerability allows unauthorized web pages from any origin to access sensitive system monitoring data exposed by the Glances XML-RPC server. This means an attacker can silently retrieve detailed system information without user consent or awareness.

Such unauthorized access can lead to information disclosure, potentially exposing system metrics and data that could be used for further attacks or reconnaissance.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Glances to version 4.5.5 or later, where the issue is fixed.

Avoid configuring the CORS origin list with more than one entry in versions prior to 4.5.5, as this causes the server to fall back to an unrestricted wildcard, exposing sensitive system monitoring data.

Compliance Impact

The vulnerability in Glances XML-RPC server allows any malicious web page to read the full system monitoring dataset without the victim's knowledge due to improper CORS origin handling.

This exposure includes sensitive system information such as hostname, OS details, process lists (which may contain credentials), CPU/memory/disk statistics, and container metadata.

Such unauthorized data exposure could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require protection of sensitive and personal data against unauthorized access.

Therefore, organizations using vulnerable versions of Glances in XML-RPC server mode risk violating these standards due to potential data leakage.

Detection Guidance

This vulnerability affects the Glances XML-RPC server mode (started with the command `glances -s`) when the configuration contains two or more entries in the cors_origins list. Detection involves verifying if the Glances server is running in XML-RPC mode and checking the cors_origins configuration.

To detect if your system is vulnerable, you can:

  • Check if Glances is running in server mode with the command: `ps aux | grep 'glances -s'`
  • Inspect the Glances configuration file (usually `~/.config/glances/glances.conf` or `/etc/glances/glances.conf`) for the `cors_origins` setting and see if it contains more than one origin.
  • Use a network tool like curl to send a CORS request to the XML-RPC endpoint and observe the Access-Control-Allow-Origin header. For example: `curl -i -H "Origin: http://example.com" http://<glances-server-ip>:61208/RPC2` and check if the response header `Access-Control-Allow-Origin` is set to `*`.

If the server responds with `Access-Control-Allow-Origin: *` despite having multiple origins configured, the vulnerability is present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46608. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart