Skip to main content

Glances CVE-2026-34839

| EUVDEUVD-2026-23986 HIGH
Information Exposure (CWE-200)
2026-04-21 security-advisories@github.com GHSA-gfc2-9qmw-w7vh
7.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 19:09 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 16:01 EUVD
Analysis Generated
Apr 21, 2026 - 00:37 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 00:22 euvd
EUVD-2026-23986
Analysis Generated
Apr 21, 2026 - 00:22 vuln.today
CVE Published
Apr 21, 2026 - 00:16 nvd
HIGH 7.7

DescriptionGitHub Advisory

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (/api/4/*) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (Access-Control-Allow-Origin: *). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (/api/4/*) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.

AnalysisAI

Cross-origin data exfiltration in Glances web server allows remote unauthenticated attackers to read sensitive system information (CPU, memory, processes, network stats) through the REST API endpoint /api/4/* via malicious websites exploiting permissive CORS policy. Affects all versions prior to 4.5.4. EPSS score of 0.06% (18th percentile) suggests low widespread exploitation probability despite proof-of-concept availability, though the network-accessible, unauthenticated attack vector (AV:N/PR:N) combined with high confidentiality impact (VC:H) makes this a priority for internet-exposed instances.

Technical ContextAI

Glances is a Python-based cross-platform system monitoring tool providing both CLI and web server interfaces for viewing system metrics. The vulnerability exists in the web server component's REST API implementation at the /api/4/* endpoints. The server applies an overly permissive Cross-Origin Resource Sharing (CORS) policy with 'Access-Control-Allow-Origin: *' header, violating same-origin policy protections that normally prevent cross-site requests. This CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) flaw allows any external website to issue JavaScript fetch/XMLHttpRequest calls to a victim's local or network-accessible Glances instance and retrieve the JSON responses containing system telemetry. The vulnerability specifically affects the REST API path space (/api/4/*), which exposes more granular system data than the previously disclosed XML-RPC CORS issue, including detailed process information, filesystem stats, and network connections that could aid reconnaissance for further attacks.

RemediationAI

Upgrade immediately to Glances version 4.5.4 or later, which implements proper CORS policy restrictions on the /api/4/* endpoints. Patch is available from the official GitHub repository at https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9 and documented in security advisory GHSA-gfc2-9qmw-w7vh. For environments unable to upgrade immediately, implement network-level access controls: bind Glances web server to localhost only (--bind 127.0.0.1) if local-only access suffices, which prevents remote cross-origin attacks but limits legitimate remote monitoring; alternatively, deploy reverse proxy (nginx, Apache) with strict CORS headers and authentication before the Glances instance, though this adds architectural complexity and potential misconfiguration risk. If internet exposure is required, use SSH tunneling or VPN access rather than direct exposure until patching is complete. Note that disabling the web server entirely (running Glances in terminal mode only with -t flag) eliminates the attack surface but removes web dashboard functionality. Review web server access logs for suspicious cross-origin requests from unexpected Referer headers as potential indicators of exploitation attempts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-34839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy