CVE-2026-34839

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.4

Description The web server exposes a REST API endpoint '/api/4/*' that is accessible without authentication. Due to a permissive Cross-Origin Resource Sharing (CORS) policy, specifically the 'Access-Control-Allow-Origin: *' header, the server allows cross-origin requests from any origin. This enables a malicious website to read sensitive system information from a running instance via the victim's browser, leading to cross-origin data exfiltration. The '/api/4/all' endpoint returns extensive data, including the processlist, hostname, OS, CPU info, memory and disk usage, network interfaces, IP addresses, and running services.

Recommendations Update to version 4.5.4.