CVE-2026-34839
Published:April 20, 2026
Updated:April 23, 2026
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API ("/api/4/*") that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy ("Access-Control-Allow-Origin: *"). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API ("/api/4/*") is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
Affected Packages
glances (CONDA):
Affected version(s) >=2.6 <4.5.4Fix Suggestion:
Update to version 4.5.4https://github.com/nicolargo/glances.git (GITHUB):
Affected version(s) >=v1.0 <v4.5.4Fix Suggestion:
Update to version v4.5.4glances (PYTHON):
Affected version(s) >=1.3.1 <4.5.4Fix Suggestion:
Update to version 4.5.4Glances (PYTHON):
Affected version(s) >=1.3.1 <4.5.4Fix Suggestion:
Update to version 4.5.4Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
7.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
Exploit Maturity
POC
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
EPSS
Base Score:
0.06
