CVE-2026-32610

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2

Description Glances, a cross-platform system monitoring tool, has a configuration issue in its REST API web server. The default CORS (Cross-Origin Resource Sharing) configuration sets allow origins to '' and allow credentials to True. This combination allows any website to make credentialed cross-origin API requests to the Glances server, potentially enabling cross-site data theft. This includes system monitoring information, configuration secrets, and command-line arguments. The issue stems from Starlette’s CORSMiddleware reflecting the requesting Origin header instead of the wildcard ''. The configuration is set in glances/outputs/glances restful api.py lines 290-299. Without a password, any website can read all API endpoints. With a password, cached credentials can be exploited. The API endpoints /api/4/all, /api/4/config, and /api/4/args are particularly vulnerable.

Recommendations Versions prior to 4.5.2: Change the default CORS credentials setting to False. Alternatively, reject the insecure combination of allow origins="*" and allow credentials=True at startup and configure specific origins to enable credentials. Also, restrict allowed methods to GET.