Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32610

CVE-2026-32610: Glances REST API CORS XSS Vulnerability

CVE-2026-32610 is a cross-site scripting flaw in Glances REST API that allows malicious websites to steal system monitoring data through CORS misconfiguration. This post covers technical details, affected versions, and fixes.

Published:

CVE-2026-32610 Overview

CVE-2026-32610 is an Insecure Default Configuration vulnerability in Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets allow_origins=["*"] combined with allow_credentials=True. When both of these options are enabled together, Starlette's CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin response header instead of returning the literal * wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.

Critical Impact

Attackers can steal sensitive system monitoring data, configuration secrets, and command line arguments from Glances users by exploiting the permissive CORS configuration through malicious websites.

Affected Products

  • Glances versions prior to 4.5.2
  • Glances REST API web server with default CORS configuration
  • Systems running Glances with web interface enabled

Discovery Timeline

  • 2026-03-18 - CVE CVE-2026-32610 published to NVD
  • 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32610

Vulnerability Analysis

The vulnerability resides in the default CORS (Cross-Origin Resource Sharing) configuration of the Glances REST API. The problematic combination occurs when allow_origins is set to the wildcard * (accepting all origins) while simultaneously enabling allow_credentials=True. According to the CORS specification, browsers should reject this combination, but Starlette's CORSMiddleware handles this by reflecting the requesting Origin header in the Access-Control-Allow-Origin response header. This behavior effectively bypasses browser security controls designed to prevent cross-origin credential sharing with arbitrary domains.

The vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains), which describes scenarios where a web server allows cross-origin requests from untrusted sources, potentially exposing sensitive data to malicious actors.

Root Cause

The root cause is an insecure default configuration in the Glances configuration file where cors_credentials defaults to True while cors_origins defaults to *. This combination creates a security flaw where the Starlette CORS middleware reflects the origin header, allowing any website to make authenticated requests to the Glances API. The fix changes the default value of cors_credentials to False and explicitly warns users to only enable it when cors_origins is configured with specific trusted origins.

Attack Vector

The attack is network-based and requires user interaction. An attacker can craft a malicious website that makes cross-origin requests to a victim's Glances instance. When the victim visits the malicious site while having an active Glances session, the browser will include credentials with the cross-origin request due to the permissive CORS configuration. The attacker can then exfiltrate sensitive system monitoring information including CPU/memory usage, running processes, configuration data, and command line arguments that may contain secrets.

text
# Vulnerable Configuration (conf/glances.conf)
# Default is *
#cors_origins=*
# Indicate that cookies should be supported for cross-origin requests.
-# Default is True
-#cors_credentials=True
+# Default is False.
+# Set to True only when cors_origins is explicitly configured with specific origins.
+#cors_credentials=False
# Comma separated list of HTTP methods that should be allowed for cross-origin requests.
# Default is *
#cors_methods=*

Source: GitHub Commit Update

Detection Methods for CVE-2026-32610

Indicators of Compromise

  • Unexpected cross-origin requests to Glances API endpoints from unknown domains
  • Web server logs showing requests with suspicious Origin headers
  • Anomalous API access patterns from external referer domains

Detection Strategies

  • Monitor web server access logs for cross-origin requests to Glances API with credentials
  • Review Glances configuration files for insecure CORS settings (cors_credentials=True with cors_origins=*)
  • Implement network monitoring to detect data exfiltration from Glances instances

Monitoring Recommendations

  • Enable detailed logging for the Glances REST API to capture origin headers
  • Set up alerts for unusual API access patterns or high-volume data requests
  • Regularly audit Glances configuration files across deployed instances

How to Mitigate CVE-2026-32610

Immediate Actions Required

  • Upgrade Glances to version 4.5.2 or later immediately
  • Review and update CORS configuration to explicitly define trusted origins
  • Disable the web interface if not required for operations
  • Restrict network access to Glances instances using firewall rules

Patch Information

The vulnerability is fixed in Glances version 4.5.2. The patch modifies the default CORS configuration to set cors_credentials to False by default, preventing the insecure credential sharing behavior. Users can review the security fix in the GitHub Security Advisory GHSA-9jfm-9rc6-2hfq and the GitHub Release v4.5.2.

Workarounds

  • Explicitly set cors_credentials=False in the Glances configuration file
  • Configure cors_origins with specific trusted origins instead of using the wildcard *
  • Implement network-level access controls to restrict access to the Glances web interface
  • Consider running Glances behind a reverse proxy with proper CORS handling
bash
# Configuration example - glances.conf
# Set specific trusted origins instead of wildcard
cors_origins=https://trusted-dashboard.example.com

# Disable credentials for cross-origin requests (secure default)
cors_credentials=False

# Restrict methods if full API access is not required
cors_methods=GET

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.