CVE-2026-32610
CVE-2026-32610 is a high-severity vulnerability in Nicolargo Glances with a CVSS 3.x base score of 8.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-942.
Key facts
- Severity: High (CVSS 3.x base score 8.1)
- EPSS exploit prediction: 0% (26th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-12880
- Weakness: CWE-942
- Affected product: Nicolargo Glances
- Published:
- Last modified:
Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Frequently asked questions
- What is CVE-2026-32610?
- Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
- How severe is CVE-2026-32610?
- CVE-2026-32610 has a CVSS 3.x base score of 8.1, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-32610 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (26th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-32610?
- CVE-2026-32610 affects Nicolargo Glances. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-32610?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-32610 have an EU (EUVD) identifier?
- Yes. CVE-2026-32610 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-12880.
- When was CVE-2026-32610 published?
- CVE-2026-32610 was published on 2026-03-18 and last updated on 2026-06-17.
References
- https://github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832
- https://github.com/nicolargo/glances/releases/tag/v4.5.2
- https://github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfq
Affected products (1)
- cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*
More vulnerabilities in Nicolargo Glances
- CVE-2026-30930 — Critical (CVSS 9.8): Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.1, The TimescaleDB export module…
- CVE-2026-32633 — Critical (CVSS 9.1): Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the…
- CVE-2026-35587 — High (CVSS 8.8): Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery…
- CVE-2026-32634 — High (CVSS 8.1): Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode,…
- CVE-2026-33641 — High (CVSS 7.8): Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, Glances supports dynamic…
- CVE-2026-32609 — High (CVSS 7.5): Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed…
All CVEs affecting Nicolargo Glances →
Other CWE-942 vulnerabilities
- CVE-2022-26969 — Critical (CVSS 9.8): In Directus before 9.7.0, the default settings of CORS_ORIGIN and CORS_ENABLED are true.
- CVE-2022-31736 — Critical (CVSS 9.8): A malicious website could have learned the size of a cross-origin resource that supported Range requests. This…
- CVE-2026-34449 — Critical (CVSS 9.6): SiYuan is a personal knowledge management system. Prior to version 3.6.2, a malicious website can achieve Remote Code…
- CVE-2026-30924 — Critical (CVSS 9.6): qui is a web interface for managing qBittorrent instances. Versions 1.14.1 and below use a permissive CORS policy that…
- CVE-2026-9739 — Critical (CVSS 9.4): Vulnerable to DNS rebinding attacks when using SSE (http://b/499408790). During the beta phase, we implemented…
- CVE-2026-8948 — Critical (CVSS 9.1): Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151 and Thunderbird…