CVE-2026-33533 Overview
CVE-2026-33533 is a high-severity CORS misconfiguration vulnerability affecting Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Combined with the lack of Content-Type header validation, this allows attacker-controlled webpages to exfiltrate sensitive system monitoring data through CORS "simple requests."
Critical Impact
Complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network statistics, and the full process list including command lines which may contain tokens, passwords, or internal paths.
Affected Products
- Glances versions prior to 4.5.3
- Glances XML-RPC server mode (glances -s or glances --server)
- Systems exposing Glances server to untrusted networks
Discovery Timeline
- 2026-04-02 - CVE-2026-33533 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-33533
Vulnerability Analysis
This vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The core issue stems from the Glances XML-RPC server implementing overly permissive CORS headers without proper request validation.
When the Glances server is started in server mode, it responds to all HTTP requests with the Access-Control-Allow-Origin: * header. This wildcard CORS policy, combined with the XML-RPC handler's failure to validate the Content-Type header, creates a browser-based attack vector.
An attacker can craft a malicious webpage that sends a POST request with Content-Type: text/plain containing a valid XML-RPC payload. Because this qualifies as a CORS "simple request," the browser sends it without performing a preflight check. The Glances server processes the XML body and returns the complete system monitoring dataset, which the attacker's JavaScript can read due to the permissive CORS header.
Root Cause
The root cause is twofold: (1) the use of a wildcard (*) in the Access-Control-Allow-Origin response header, and (2) the absence of Content-Type validation in the XML-RPC request handler. This combination allows cross-origin requests from any domain to successfully retrieve sensitive system monitoring data.
Attack Vector
The attack is network-based and requires user interaction. An attacker must lure a victim who has access to an exposed Glances server to visit a malicious webpage. The attacker's page then leverages the victim's browser as a proxy to query the Glances XML-RPC server and exfiltrate the response data.
The attack flow:
- Victim visits attacker-controlled webpage
- Malicious JavaScript sends POST request to Glances server with Content-Type: text/plain
- Browser treats this as a "simple request" (no preflight)
- Glances server processes XML-RPC payload and returns monitoring data
- Wildcard CORS header allows JavaScript to read the response
- Attacker receives sensitive system information
Detection Methods for CVE-2026-33533
Indicators of Compromise
- Unusual cross-origin requests to Glances XML-RPC server endpoints
- HTTP POST requests with Content-Type: text/plain containing XML-RPC payloads
- Unexpected external referrers in Glances server access logs
- Multiple rapid queries to monitoring endpoints from browser user-agents
Detection Strategies
- Monitor network traffic for XML-RPC requests to Glances server from untrusted origins
- Implement web application firewall rules to detect cross-origin requests to internal monitoring services
- Review Glances server logs for requests originating from unexpected sources or containing unusual Content-Type headers
- Deploy browser security policies (Content-Security-Policy) to prevent outbound connections to internal services
Monitoring Recommendations
- Enable detailed logging on Glances server instances to capture request origins
- Monitor for JavaScript-based data exfiltration patterns in network security tools
- Audit exposed Glances instances for version compliance (ensure 4.5.3 or later)
- Implement network segmentation to limit browser access to monitoring infrastructure
How to Mitigate CVE-2026-33533
Immediate Actions Required
- Upgrade Glances to version 4.5.3 or later immediately
- Restrict network access to Glances server instances using firewall rules
- Avoid exposing Glances XML-RPC server to untrusted networks or the public internet
- Consider using reverse proxy with proper CORS configuration and authentication
Patch Information
The vulnerability has been patched in Glances version 4.5.3. The fix addresses the permissive CORS policy in the XML-RPC server. For detailed patch information, refer to the GitHub Security Advisory GHSA-7p93-6934-f4q7 and the official release v4.5.3.
The security patch includes configuration changes as shown below:
# Disable background color
#disable_bg=True
#
-# Specifics options for WebUI
-#----------------------------
+# Specifics options for Glances server
+#-------------------------------------
# Set URL prefix for the WebUI and the API
# Example: url_prefix=/glances/ => http://localhost/glances/
# Note: The final / is mandatory
Source: GitHub Commit dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1
Workarounds
- Disable the Glances XML-RPC server if not required (glances without -s or --server flags)
- Implement network-level access controls to restrict Glances server access to trusted hosts only
- Deploy a reverse proxy with strict CORS policies and authentication in front of Glances
- Use host-based firewall rules to limit connections to the Glances server port
# Example: Restrict Glances server access using iptables
# Only allow connections from trusted management network
iptables -A INPUT -p tcp --dport 61209 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 61209 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
