CVE-2026-34839

CVE-2026-34839

Name

CVE-2026-34839

Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9
security-advisories@github.com	https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh

Type

URI

security-advisories@github.com

https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9

security-advisories@github.com

https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:nicolargo:glances::::::::`	glances	>= None	< 4.5.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

glances

>= None

< 4.5.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
glances	edge-community	4.5.3.2-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.5.2-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.5.2-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.5.0.5-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.5.0.4-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.4.1-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.3.3-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	4.3.1-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	edge-community	3.4.0.5-r1	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable
glances	3.23-community	4.4.1-r0	Francesco Colista <fcolista@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

glances

edge-community

4.5.3.2-r0

Francesco Colista <fcolista@alpinelinux.org>

possibly vulnerable

glances

edge-community