HomeseparatorVulnerability

CVE-2026-34839: CORS Vulnerability in Glances

Avatar photo
Author
,
Technical Reviewers
Updated: April 20th, 2026
4 mins read
cve-2026-34839

Product Name: Glances
Vulnerability: Cross-Origin Information Disclosure
(CWE-200: Exposure of Sensitive Information)
Vulnerable Version: <= 4.5.2
CVE: CVE-2026-34839 (High)

On 30/03/2025, a security researcher at Astra Security identified a Cross-Origin Information Disclosure vulnerability in Glances, a popular cross-platform system monitoring tool, affecting all versions up to and including 4.5.2.

CVE-2026-34839 enables a malicious website to retrieve sensitive system data from a victim’s machine simply by having them visit an attacker-controlled page.

If exploited, the threat actor could get a broad range of sensitive information, including running process lists, system performance metrics, and network configuration details. These data should never be accessible to untrusted third-party origins.

Technical Breakdown of CVE-2026-34839

The CVE-2026-34839 was discovered during a manual analysis of the application’s API and network behavior. This flaw is very dangerous on office/home networks where Glances is commonly run, and IPs are easy to find through simple scanning.

How was it discovered?

Our researcher found CVE-2026-34839, when glances launched in web mode with the -w flag and bound to 0.0.0.0, the Glances web interface exposes a fully functional REST API on port 61208. This API endpoint requires no credentials to access and responds to cross-origin fetch requests from any domain.

By studying the API response from /api/4/all, it was confirmed that detailed system telemetry, i.e., process names, CPU usage, memory consumption, and network interfaces, was being returned without restriction to any browser-based request.

How to replicate the vulnerability

  1. Start Glances in web mode
glances -w -B 0.0.0.0
  1. Set up or access a malicious webpage under attacker control.
  2. Embed the following script in the malicious page:
fetch('http://<victim-ip>:61208/api/4/all')

  .then(r => r.json())

  .then(data => console.log(data));
  1. When a victim visits the page, the browser silently sends the request to the Glances API.
  2. Observe that the API returns sensitive system data without any authentication check or origin restriction.

Every fortnight our security engineers update DAST vulnerability scanner’s test cases. So we’re always one step ahead.

Get started at $7!
character

Impact of CORS

The severity of CVE-2026-34839 is significant. It could allow an attacker to take control of Glances’ outgoing HTTP requests from the IP plugin and cause severe damage. This opens a new set of pathways to credential theft, infrastructure compromise, etc., without requiring direct access to the target system. In enterprise environments, the potential blast radius is considerably higher.

  • Unauthorized Access: Threat actors can retrieve process lists, system metrics, and network configuration data from a victim’s machine without the victim’s knowledge.
  • Internal Network Access: The vulnerability enables mapping of internal networks and systems, including 127.0.0.1 (localhost services) and private network ranges such as 192.168.x.x, 10. x.x.x, and 172.16.x.x.
  • Confidentiality Impact: Sensitive operational data is disclosed to unauthorized parties with no interaction beyond visiting a webpage.
  • Host Fingerprinting: Attackers can easily fingerprint the host system (OS version, hostname, CPU model, uptime, running services, etc.) to aid more targeted and effective follow-on attacks.
  • Sensitive Data Exposure: Detailed system telemetry, including process lists, CPU usage, memory statistics, and network interfaces, is exposed to untrusted origins.

Current Status of CVE-2026-34839

The vulnerability is tracked under GitHub Advisory GHSA-gfc2-9qmw-w7vh. Glances repo maintainers were notified about the vulnerability, and they promptly implemented a patch to fix CVE-2026-34839 in version >4.5.2.

What Can You Do?

Users are strongly advised to update their glances to > 4.5.2. If it’s not possible due to compatibility issues, implement the following workarounds:

  • Bind the Glances service to localhost (127.0.0.1) to prevent external network access.
  • Enable authentication to prevent unauthenticated access to the API.
  • Restrict CORS allowed origins to trusted domains only, removing the wildcard (Access-Control-Allow-Origin: *) header.
  • Place the service behind a reverse proxy configured with TLS and access controls.
  • Avoid exposing the Glances web interface on public or untrusted networks under any circumstances.

Hand-picked articles for you

Vulnerability

Stored XSS in HTML Report Generator

Avatar photo
Ephrim Holyson
May 25th, 2026
Vulnerability

Stored XSS Vulnerability in ntfy

Avatar photo
Ephrim Holyson
May 25th, 2026
Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 / CVE-2025-66478)
Vulnerability

Critical React2Shell RCE Hits React and Next.js (CVE-2025-55182 / CVE-2025-66478)

Avatar photo
Sanskriti Jain
December 9th, 2025

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Psst! Hi there. We're Astra.

We make security simple and hassle-free for thousands of businesses worldwide.

Our security products include a vulnerability scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

Speak to Sales Get a Pentest
earth

Made with ❤️ in USA  India

Copyright © 2026 ASTRA IT, Inc. All Rights Reserved.

Privacy Policy Terms of Service Report a Vulnerability