Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33533

CVE-2026-33533: Glances Information Disclosure Vulnerability

CVE-2026-33533 is an information disclosure flaw in Glances XML-RPC server that allows attackers to exfiltrate system monitoring data via CORS misconfiguration. This post covers technical details, affected versions, and patches.

Published:

CVE-2026-33533 Overview

CVE-2026-33533 is a high-severity CORS misconfiguration vulnerability affecting Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Combined with the lack of Content-Type header validation, this allows attacker-controlled webpages to exfiltrate sensitive system monitoring data through CORS "simple requests."

Critical Impact

Complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network statistics, and the full process list including command lines which may contain tokens, passwords, or internal paths.

Affected Products

  • Glances versions prior to 4.5.3
  • Glances XML-RPC server mode (glances -s or glances --server)
  • Systems exposing Glances server to untrusted networks

Discovery Timeline

  • 2026-04-02 - CVE-2026-33533 published to NVD
  • 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-33533

Vulnerability Analysis

This vulnerability is classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). The core issue stems from the Glances XML-RPC server implementing overly permissive CORS headers without proper request validation.

When the Glances server is started in server mode, it responds to all HTTP requests with the Access-Control-Allow-Origin: * header. This wildcard CORS policy, combined with the XML-RPC handler's failure to validate the Content-Type header, creates a browser-based attack vector.

An attacker can craft a malicious webpage that sends a POST request with Content-Type: text/plain containing a valid XML-RPC payload. Because this qualifies as a CORS "simple request," the browser sends it without performing a preflight check. The Glances server processes the XML body and returns the complete system monitoring dataset, which the attacker's JavaScript can read due to the permissive CORS header.

Root Cause

The root cause is twofold: (1) the use of a wildcard (*) in the Access-Control-Allow-Origin response header, and (2) the absence of Content-Type validation in the XML-RPC request handler. This combination allows cross-origin requests from any domain to successfully retrieve sensitive system monitoring data.

Attack Vector

The attack is network-based and requires user interaction. An attacker must lure a victim who has access to an exposed Glances server to visit a malicious webpage. The attacker's page then leverages the victim's browser as a proxy to query the Glances XML-RPC server and exfiltrate the response data.

The attack flow:

  1. Victim visits attacker-controlled webpage
  2. Malicious JavaScript sends POST request to Glances server with Content-Type: text/plain
  3. Browser treats this as a "simple request" (no preflight)
  4. Glances server processes XML-RPC payload and returns monitoring data
  5. Wildcard CORS header allows JavaScript to read the response
  6. Attacker receives sensitive system information

Detection Methods for CVE-2026-33533

Indicators of Compromise

  • Unusual cross-origin requests to Glances XML-RPC server endpoints
  • HTTP POST requests with Content-Type: text/plain containing XML-RPC payloads
  • Unexpected external referrers in Glances server access logs
  • Multiple rapid queries to monitoring endpoints from browser user-agents

Detection Strategies

  • Monitor network traffic for XML-RPC requests to Glances server from untrusted origins
  • Implement web application firewall rules to detect cross-origin requests to internal monitoring services
  • Review Glances server logs for requests originating from unexpected sources or containing unusual Content-Type headers
  • Deploy browser security policies (Content-Security-Policy) to prevent outbound connections to internal services

Monitoring Recommendations

  • Enable detailed logging on Glances server instances to capture request origins
  • Monitor for JavaScript-based data exfiltration patterns in network security tools
  • Audit exposed Glances instances for version compliance (ensure 4.5.3 or later)
  • Implement network segmentation to limit browser access to monitoring infrastructure

How to Mitigate CVE-2026-33533

Immediate Actions Required

  • Upgrade Glances to version 4.5.3 or later immediately
  • Restrict network access to Glances server instances using firewall rules
  • Avoid exposing Glances XML-RPC server to untrusted networks or the public internet
  • Consider using reverse proxy with proper CORS configuration and authentication

Patch Information

The vulnerability has been patched in Glances version 4.5.3. The fix addresses the permissive CORS policy in the XML-RPC server. For detailed patch information, refer to the GitHub Security Advisory GHSA-7p93-6934-f4q7 and the official release v4.5.3.

The security patch includes configuration changes as shown below:

text
 # Disable background color
 #disable_bg=True
 #
-# Specifics options for WebUI
-#----------------------------
+# Specifics options for Glances server
+#-------------------------------------
 # Set URL prefix for the WebUI and the API
 # Example: url_prefix=/glances/ => http://localhost/glances/
 # Note: The final / is mandatory

Source: GitHub Commit dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1

Workarounds

  • Disable the Glances XML-RPC server if not required (glances without -s or --server flags)
  • Implement network-level access controls to restrict Glances server access to trusted hosts only
  • Deploy a reverse proxy with strict CORS policies and authentication in front of Glances
  • Use host-based firewall rules to limit connections to the Glances server port
bash
# Example: Restrict Glances server access using iptables
# Only allow connections from trusted management network
iptables -A INPUT -p tcp --dport 61209 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 61209 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.