CVE-2026-46608
HighCVSS 7.4Exploitation Probability (EPSS)
Low risk32th percentile — higher than 32% of all known CVEs
Summary
In Glances before version 4.5.5, a vulnerability exists in the XML-RPC server. When the CORS origin list (cors_origins) contains more than one entry, the implementation incorrectly sets the Access-Control-Allow-Origin header to *, allowing access from any origin. A malicious web page can thus read the full system monitoring dataset without the victim's knowledge.
Risk Assessment
The organization risks unauthorized leakage of sensitive system data (e.g., CPU load, memory, processes) to external, potentially malicious websites, which may compromise the confidentiality and security of the IT infrastructure.
Recommendation
Immediately update Glances to version 4.5.5 or later. If an update is not possible, temporarily restrict access to the XML-RPC server via a firewall or configure the cors_origins list with a single entry.
Original NVD description (English source)
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.

