{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32610", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T14:54:24.270Z", "datePublished": "2026-03-18T16:31:12.154Z", "dateUpdated": "2026-03-18T16:59:40.327Z"}, "containers": {"cna": {"title": "Glances's Default CORS Configuration Allows Cross-Origin Credential Theft", "problemTypes": [{"descriptions": [{"cweId": "CWE-942", "lang": "en", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"}, {"name": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832", "tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"}, {"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"}], "affected": [{"vendor": "nicolargo", "product": "glances", "versions": [{"version": "< 4.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T16:31:12.154Z"}, "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue."}], "source": {"advisory": "GHSA-9jfm-9rc6-2hfq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T16:59:20.865855Z", "id": "CVE-2026-32610", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T16:59:40.327Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32610", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T16:59:20.865855Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T16:59:34.494Z"}}], "cna": {"title": "Glances's Default CORS Configuration Allows Cross-Origin Credential Theft", "source": {"advisory": "GHSA-9jfm-9rc6-2hfq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nicolargo", "product": "glances", "versions": [{"status": "affected", "version": "< 4.5.2"}]}], "references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq", "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832", "name": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-942", "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T16:31:12.154Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32610", "state": "PUBLISHED", "dateUpdated": "2026-03-18T16:59:40.327Z", "dateReserved": "2026-03-12T14:54:24.270Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T16:31:12.154Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59", "versionEndExcluding": "4.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue."}], "id": "CVE-2026-32610", "lastModified": "2026-03-21T00:16:56.353", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T17:16:06.947", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-942"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glances", "source": "cna", "vendor": "nicolargo"}, "product": "glances", "vendor": "nicolargo"}], "analysis": {"en": {"generated_at": "2026-03-21T07:07:49.679444+00:00", "value": {"mitigation_remediation": ["Upgrade Glances to version 4.5.2 or later to receive the corrected CORS configuration", "If an upgrade is delayed, immediately disable the \"allow_credentials\" option or re\u2011configure the CORS policy to allow only trusted origins", "Restrict network access to the Glances REST API so it is reachable only from trusted hosts or behind a VPN", "Monitor API logs for unusual cross\u2011origin requests and invalidate compromised credentials", "Verify that no other configurations expose the API to the public internet"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized data theft via credentialed cross-origin requests"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source Glances monitoring tool developed by nicolargo. Versions prior to 4.5.2 are vulnerable; the safest version to run is 4.5.2 or newer where the bug is fixed.", "description_and_impact": "Glances ships with a default Cross-Origin Resource Sharing configuration that allows any origin to send requests with credentials. Because the server sets allow_origins to accept all origins while also enabling allow_credentials, the middleware reflects the Origin header back to the client instead of returning a wildcard. This flaw permits a malicious website to issue authenticated API calls to the Glances REST interface, leaking sensitive monitoring data, configuration secrets, and command line arguments from any user who has an active browser session. The weakness is a CORS misconfiguration (CWE\u2011942) that compromises confidentiality.", "risk_and_exploitability": "The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score of less than 1% suggests that real\u2011world exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, any web page accessed by a user with an authenticated Glances session can initiate malicious requests, making the risk of data theft significant in environments where the Glances server is reachable from untrusted networks or publicly exposed. The attack vector is mainly web\u2011browser based, requiring an active session through standard authentication mechanisms."}}}}, "created": "2026-03-19T08:56:25.330139+00:00", "updated": "2026-03-24T10:58:32.578156+00:00", "vendors": ["nicolargo", "nicolargo$PRODUCT$glances"]}