{"id":46542,"date":"2026-04-20T13:41:10","date_gmt":"2026-04-20T08:11:10","guid":{"rendered":"https:\/\/www.getastra.com\/blog\/?p=46542"},"modified":"2026-04-20T13:41:54","modified_gmt":"2026-04-20T08:11:54","slug":"cve-2026-34839","status":"publish","type":"post","link":"https:\/\/www.getastra.com\/blog\/vulnerability\/cve-2026-34839\/","title":{"rendered":"CVE-2026-34839: CORS Vulnerability in Glances"},"content":{"rendered":"<div class=\"gb-container gb-container-83f53fef\">\n\n<p class=\"wp-block-paragraph\"><strong>Product Name:<\/strong>&nbsp;Glances<br><strong>Vulnerability:<\/strong>&nbsp;Cross-Origin Information Disclosure<br>(CWE-200: Exposure of Sensitive Information)<br><strong>Vulnerable Version:&nbsp;<\/strong>&lt;= 4.5.2<br><strong>CVE:<\/strong>&nbsp;CVE-2026-34839 (High)<\/p>\n\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">On 30\/03\/2025, a security researcher at Astra Security identified a Cross-Origin Information Disclosure vulnerability in Glances, a popular cross-platform system monitoring tool, affecting all versions up to and including 4.5.2.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>CVE-2026-34839 <\/strong>enables a malicious website to retrieve sensitive system data from a victim\u2019s machine simply by having them visit an attacker-controlled page.<br><br>If exploited, the threat actor could get a broad range of sensitive information, including running process lists, system performance metrics, and network configuration details. These data should never be accessible to untrusted third-party origins.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Technical_Breakdown_of_CVE-2026-34839\"><\/span>Technical Breakdown of CVE-2026-34839<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/github.com\/nicolargo\/glances\/security\/advisories\/GHSA-gfc2-9qmw-w7vh\" target=\"_blank\" data-type=\"link\" data-id=\"https:\/\/github.com\/nicolargo\/glances\/security\/advisories\/GHSA-gfc2-9qmw-w7vh\" rel=\"noreferrer noopener nofollow\">CVE-2026-34839<\/a> was discovered during a manual analysis of the application\u2019s API and network behavior. This flaw is very dangerous on office\/home networks where Glances is commonly run, and IPs are easy to find through simple scanning.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How was it discovered?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Our researcher found CVE-2026-34839, when glances launched in web mode with the -w flag and bound to 0.0.0.0, the Glances web interface exposes a fully functional <strong>REST API<\/strong> on <strong>port 61208<\/strong>. This API endpoint requires no credentials to access and responds to cross-origin fetch requests from any domain.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">By studying the API response from <strong>\/api\/4\/all<\/strong>, it was confirmed that detailed system telemetry, i.e., process names, CPU usage, memory consumption, and network interfaces, was being returned without restriction to any browser-based request.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How to replicate the vulnerability<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Start Glances in web mode<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>glances -w -B 0.0.0.0<\/code><\/pre>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Set up or access a malicious webpage under attacker control.<\/li>\n\n\n\n<li>Embed the following script in the malicious page:<\/li>\n<\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>fetch('http:\/\/&lt;victim-ip&gt;:61208\/api\/4\/all')\n\n&nbsp;&nbsp;.then(r =&gt; r.json())\n\n&nbsp;&nbsp;.then(data =&gt; console.log(data));<\/code><\/pre>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li>When a victim visits the page, the browser silently sends the request to the Glances API.<\/li>\n\n\n\n<li>Observe that the API returns sensitive system data without any authentication check or origin restriction.<\/li>\n<\/ol>\n\n\n\n<style>\n.ctaSaasCheckWrap{\n  padding:35px;\n  border: 6px;\n  background-image: url('https:\/\/cdn-blog.getastra.com\/2025\/08\/0737b9ac-deepblue-bg.png');\n  background-size: cover;\n  background-repeat: no-repeat;\n  position: relative;\n  background-position: right;\n  height: 275px;\n  border-radius: 10px;\n  margin: 20px 0px;\n}\n.pentestHeadingDB{\n  color: #fff;\n  font-size: 24px;\n  font-weight: 600;\n  max-width: 450px;\n}\n.ctaSaasCheckWrapHead {\n    display: flex;\n    align-items: center;\n    grid-gap: 1rem;\n}\n.ctaOneDB {\n    display: flex;\n  align-items: center;\n  padding: 1rem 1.5rem;\n  border-radius: 12px;\n  background-color: #FCBB2F;\n  text-decoration: none;\n  grid-gap: .5rem;\n  color: #000!important;\n  font-size: 18px;\n  font-weight: 500;\n  min-height: 3.75rem;\n  max-height: 3.75rem;\n  box-shadow: 0 4px 4px #00000014, 0 0 0 1px #c08e24, inset 0 -4px #0000003d;\n}\n.ctaTwo {\n    text-decoration: none;\n    background-color: #24BC94;\n    color: #ffffff !important;\n    padding: 10px 25px;\n    border-radius: 6px;\n    font-weight: 600;\n}\n.spanBoldBlue {\n    color: #3078FE;\n    font-weight: 700;\n}\n.ctaSaasCheckWrapImg{\n  position: absolute;\n  bottom: 0px;\n  right: 10px;\n  height: 250px;\n  width: 240px;\n}\n@media(max-width: 768px){\n}\n@media(max-width: 576px){\n   .pentestHeading{\n      font-size: 28px;\n    }\n   .ctaSaasCheckWrapImg{\n     display: none;\n   }\n}\n<\/style>\n\n<div class=\"ctaSaasCheckWrap\">\n<p class=\"pentestHeadingDB\">Every fortnight our security engineers update DAST vulnerability scanner&#8217;s test cases. So we&#8217;re always one step ahead.<\/p>\n<div class=\"ctaSaasCheckWrapHead\">\n  <a class=\"ctaOneDB\" href=\"\/contact-us\">Get started at $7!<\/a>\n<\/div>\n<img decoding=\"async\" class=\"ctaSaasCheckWrapImg\" src=\"\/cdn-cgi\/image\/quality=80,format=auto,onerror=redirect,metadata=none\/https:\/\/cdn-blog.getastra.com\/2024\/08\/96ad3cf0-girlcta.png\" alt=\"character\" \/>\n\n<\/div>\n\n\n<div class=\"gb-container gb-container-35f61913\">\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Impact_of_CORS\"><\/span>Impact of CORS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">The severity of CVE-2026-34839 is significant. It could allow an attacker to take control of Glances&#8217; outgoing HTTP requests from the IP plugin and cause severe damage. This opens a new set of pathways to credential theft, infrastructure compromise, etc., without requiring direct access to the target system. In enterprise environments, the potential blast radius is considerably higher.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Unauthorized Access: <\/strong>Threat actors can retrieve process lists, system metrics, and network configuration data from a victim\u2019s machine without the victim&#8217;s knowledge.<\/li>\n\n\n\n<li><strong>Internal Network Access:<\/strong> The vulnerability enables mapping of internal networks and systems, including 127.0.0.1 (localhost services) and private network ranges such as 192.168.x.x, 10. x.x.x, and 172.16.x.x.<\/li>\n\n\n\n<li><strong>Confidentiality Impact:<\/strong> Sensitive operational data is disclosed to unauthorized parties with no interaction beyond visiting a webpage.<\/li>\n\n\n\n<li><strong>Host Fingerprinting:<\/strong> Attackers can easily fingerprint the host system (OS version, hostname, CPU model, uptime, running services, etc.) to aid more targeted and effective follow-on attacks.<\/li>\n\n\n\n<li><strong>Sensitive Data Exposure:<\/strong> Detailed system telemetry, including process lists, CPU usage, memory statistics, and network interfaces, is exposed to untrusted origins.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Current_Status_of_CVE-2026-34839\"><\/span>Current Status of <strong>CVE-2026-34839<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The vulnerability is tracked under GitHub Advisory GHSA-gfc2-9qmw-w7vh. Glances repo maintainers were notified about the vulnerability, and they promptly implemented a patch to fix CVE-2026-34839 in version <strong>&gt;4.5.2<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_Can_You_Do\"><\/span>What Can You Do?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Users are strongly advised to update their glances to <strong>&gt; 4.5.2<\/strong>. If it\u2019s not possible due to compatibility issues, implement the following workarounds:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Bind the Glances service to localhost (127.0.0.1) to prevent external network access.<\/li>\n\n\n\n<li>Enable authentication to prevent unauthenticated access to the API.<\/li>\n\n\n\n<li>Restrict CORS allowed origins to trusted domains only, removing the wildcard (Access-Control-Allow-Origin: *) header.<\/li>\n\n\n\n<li>Place the service behind a reverse proxy configured with TLS and access controls.<\/li>\n\n\n\n<li>Avoid exposing the Glances web interface on public or untrusted networks under any circumstances.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Product Name:&nbsp;GlancesVulnerability:&nbsp;Cross-Origin Information Disclosure(CWE-200: Exposure of Sensitive Information)Vulnerable Version:&nbsp;&lt;= 4.5.2CVE:&nbsp;CVE-2026-34839 (High) On 30\/03\/2025, a security researcher at Astra Security identified a Cross-Origin Information Disclosure vulnerability in Glances, a popular cross-platform system monitoring tool, affecting all versions up to and including 4.5.2. CVE-2026-34839 enables a malicious website to retrieve sensitive system data from a victim\u2019s machine &#8230; <a title=\"CVE-2026-34839: CORS Vulnerability in Glances\" class=\"read-more\" href=\"https:\/\/www.getastra.com\/blog\/vulnerability\/cve-2026-34839\/\" aria-label=\"Read more about CVE-2026-34839: CORS Vulnerability in Glances\">Read more<\/a><\/p>\n","protected":false},"author":138,"featured_media":46544,"comment_status":"open","ping_status":"0","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[723],"tags":[],"class_list":["post-46542","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/46542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/users\/138"}],"replies":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/comments?post=46542"}],"version-history":[{"count":4,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/46542\/revisions"}],"predecessor-version":[{"id":47073,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/posts\/46542\/revisions\/47073"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media\/46544"}],"wp:attachment":[{"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/media?parent=46542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/categories?post=46542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.getastra.com\/blog\/wp-json\/wp\/v2\/tags?post=46542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}