CVE-2026-32610 Overview
CVE-2026-32610 is an Insecure Default Configuration vulnerability in Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets allow_origins=["*"] combined with allow_credentials=True. When both of these options are enabled together, Starlette's CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin response header instead of returning the literal * wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.
Critical Impact
Attackers can steal sensitive system monitoring data, configuration secrets, and command line arguments from Glances users by exploiting the permissive CORS configuration through malicious websites.
Affected Products
- Glances versions prior to 4.5.2
- Glances REST API web server with default CORS configuration
- Systems running Glances with web interface enabled
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32610 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32610
Vulnerability Analysis
The vulnerability resides in the default CORS (Cross-Origin Resource Sharing) configuration of the Glances REST API. The problematic combination occurs when allow_origins is set to the wildcard * (accepting all origins) while simultaneously enabling allow_credentials=True. According to the CORS specification, browsers should reject this combination, but Starlette's CORSMiddleware handles this by reflecting the requesting Origin header in the Access-Control-Allow-Origin response header. This behavior effectively bypasses browser security controls designed to prevent cross-origin credential sharing with arbitrary domains.
The vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), which describes scenarios where a web server allows cross-origin requests from untrusted sources, potentially exposing sensitive data to malicious actors.
Root Cause
The root cause is an insecure default configuration in the Glances configuration file where cors_credentials defaults to True while cors_origins defaults to *. This combination creates a security flaw where the Starlette CORS middleware reflects the origin header, allowing any website to make authenticated requests to the Glances API. The fix changes the default value of cors_credentials to False and explicitly warns users to only enable it when cors_origins is configured with specific trusted origins.
Attack Vector
The attack is network-based and requires user interaction. An attacker can craft a malicious website that makes cross-origin requests to a victim's Glances instance. When the victim visits the malicious site while having an active Glances session, the browser will include credentials with the cross-origin request due to the permissive CORS configuration. The attacker can then exfiltrate sensitive system monitoring information including CPU/memory usage, running processes, configuration data, and command line arguments that may contain secrets.
# Vulnerable Configuration (conf/glances.conf)
# Default is *
#cors_origins=*
# Indicate that cookies should be supported for cross-origin requests.
-# Default is True
-#cors_credentials=True
+# Default is False.
+# Set to True only when cors_origins is explicitly configured with specific origins.
+#cors_credentials=False
# Comma separated list of HTTP methods that should be allowed for cross-origin requests.
# Default is *
#cors_methods=*
Source: GitHub Commit Update
Detection Methods for CVE-2026-32610
Indicators of Compromise
- Unexpected cross-origin requests to Glances API endpoints from unknown domains
- Web server logs showing requests with suspicious Origin headers
- Anomalous API access patterns from external referer domains
Detection Strategies
- Monitor web server access logs for cross-origin requests to Glances API with credentials
- Review Glances configuration files for insecure CORS settings (cors_credentials=True with cors_origins=*)
- Implement network monitoring to detect data exfiltration from Glances instances
Monitoring Recommendations
- Enable detailed logging for the Glances REST API to capture origin headers
- Set up alerts for unusual API access patterns or high-volume data requests
- Regularly audit Glances configuration files across deployed instances
How to Mitigate CVE-2026-32610
Immediate Actions Required
- Upgrade Glances to version 4.5.2 or later immediately
- Review and update CORS configuration to explicitly define trusted origins
- Disable the web interface if not required for operations
- Restrict network access to Glances instances using firewall rules
Patch Information
The vulnerability is fixed in Glances version 4.5.2. The patch modifies the default CORS configuration to set cors_credentials to False by default, preventing the insecure credential sharing behavior. Users can review the security fix in the GitHub Security Advisory GHSA-9jfm-9rc6-2hfq and the GitHub Release v4.5.2.
Workarounds
- Explicitly set cors_credentials=False in the Glances configuration file
- Configure cors_origins with specific trusted origins instead of using the wildcard *
- Implement network-level access controls to restrict access to the Glances web interface
- Consider running Glances behind a reverse proxy with proper CORS handling
# Configuration example - glances.conf
# Set specific trusted origins instead of wildcard
cors_origins=https://trusted-dashboard.example.com
# Disable credentials for cross-origin requests (secure default)
cors_credentials=False
# Restrict methods if full API access is not required
cors_methods=GET
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
