CVE-2026-32610: Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
(updated )
The Glances REST API web server ships with a default CORS configuration that sets allow_origins=["*"] combined with allow_credentials=True. When both of these options are enabled together, Starlette’s CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin response header instead of returning the literal * wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.
References
- github.com/advisories/GHSA-9jfm-9rc6-2hfq
- github.com/nicolargo/glances
- github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832
- github.com/nicolargo/glances/releases/tag/v4.5.2
- github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq
- nvd.nist.gov/vuln/detail/CVE-2026-32610
Code Behaviors & Features
Detect and mitigate CVE-2026-32610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →