High severityNVD Advisory· Published Mar 18, 2026· Updated Mar 18, 2026
Glances's Default CORS Configuration Allows Cross-Origin Credential Theft
CVE-2026-32610
Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets allow_origins=["*"] combined with allow_credentials=True. When both of these options are enabled together, Starlette's CORSMiddleware reflects the requesting Origin header value in the Access-Control-Allow-Origin response header instead of returning the literal * wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
GlancesPyPI | < 4.5.2 | 4.5.2 |
Affected products
1Patches
14465169b71d9Merge branch 'GHSA-9jfm-9rc6-2hfq' into develop
5 files changed · +536 −396
conf/glances.conf+3 −2 modified@@ -57,8 +57,9 @@ history_size=1200 # Default is * #cors_origins=* # Indicate that cookies should be supported for cross-origin requests. -# Default is True -#cors_credentials=True +# Default is False. +# Set to True only when cors_origins is explicitly configured with specific origins. +#cors_credentials=False # Comma separated list of HTTP methods that should be allowed for cross-origin requests. # Default is * #cors_methods=*
docker-compose/glances.conf+3 −2 modified@@ -57,8 +57,9 @@ max_processes_display=25 # Default is * #cors_origins=* # Indicate that cookies should be supported for cross-origin requests. -# Default is True -#cors_credentials=True +# Default is False. +# Set to True only when cors_origins is explicitly configured with specific origins. +#cors_credentials=False # Comma separated list of HTTP methods that should be allowed for cross-origin requests. # Default is * #cors_methods=*
docs/api/restful.rst+491 −390 modified@@ -209,6 +209,31 @@ for production environments. deployments on non-loopback interfaces, always set ``webui_allowed_hosts`` and consider enabling authentication. +**CORS (Cross-Origin Resource Sharing)** controls which external websites can +make requests to the Glances API from a browser. By default, Glances allows +requests from any origin (``cors_origins=*``) but does **not** allow credentials +(``cors_credentials=False``). This means cross-origin requests work for +unauthenticated API access, but browsers will not send stored credentials +(e.g. Basic Auth) to the API from a third-party page. + +If you need credentialed cross-origin access (e.g. a separate dashboard +application that authenticates to Glances), you **must** configure explicit +origins — the wildcard ``*`` combined with credentials is insecure and will be +automatically rejected: + +.. code-block:: ini + + [outputs] + cors_origins=https://my-dashboard.internal.example.com + cors_credentials=True + +.. warning:: + + Setting ``cors_credentials=True`` with ``cors_origins=*`` is not allowed. + Glances will automatically disable credentials and log a warning if this + combination is detected. This prevents a class of cross-site data theft + attacks where any website could read your monitoring data. + When Glances is started without authentication or without host filtering, warning messages are displayed at startup to remind you of the risks. @@ -313,15 +338,15 @@ GET amps Get plugin stats:: # curl http://localhost:61208/api/4/amps - [{"count": 0, + [{"count": 1, "countmax": None, "countmin": 1.0, "key": "name", "name": "Dropbox", "refresh": 3.0, "regex": True, "result": None, - "timer": 0.3456707000732422}, + "timer": 0.002265453338623047}, {"count": 0, "countmax": 20.0, "countmin": None, @@ -330,7 +355,7 @@ Get plugin stats:: "refresh": 3.0, "regex": True, "result": None, - "timer": 0.3456084728240967}] + "timer": 6.748074054718018}] Fields descriptions: @@ -345,20 +370,26 @@ Fields descriptions: Get a specific field:: # curl http://localhost:61208/api/4/amps/name - {"name": ["Dropbox", "Python", "Conntrack", "Nginx", "Systemd", "SystemV"]} + {"name": ["Dropbox", + "Python", + "Conntrack", + "Nginx", + "Systemd", + "SystemV", + "Test_int"]} Get a specific item when field matches the given value:: # curl http://localhost:61208/api/4/amps/name/value/Dropbox - {"Dropbox": [{"count": 0, + {"Dropbox": [{"count": 1, "countmax": None, "countmin": 1.0, "key": "name", "name": "Dropbox", "refresh": 3.0, "regex": True, "result": None, - "timer": 0.3456707000732422}]} + "timer": 0.002265453338623047}]} GET cloud --------- @@ -374,7 +405,17 @@ GET connections Get plugin stats:: # curl http://localhost:61208/api/4/connections - {"net_connections_enabled": True, "nf_conntrack_enabled": True} + {"ESTABLISHED": 23, + "LISTEN": 42, + "SYN_RECV": 0, + "SYN_SENT": 0, + "initiated": 0, + "net_connections_enabled": True, + "nf_conntrack_count": 140.0, + "nf_conntrack_enabled": True, + "nf_conntrack_max": 262144.0, + "nf_conntrack_percent": 0.05340576171875, + "terminated": 0} Fields descriptions: @@ -406,17 +447,17 @@ Get plugin stats:: "engine": "docker", "id": "5a46c40efc1cf41d855e35617b5b34ba146b78b9f8fd2a07dcfab9cd2a9d673b", "image": ["nats:latest"], - "io": {"cumulative_ior": 14610432, "cumulative_iow": 0}, + "io": {"cumulative_ior": 14958592, "cumulative_iow": 0}, "io_rx": None, "io_wx": None, "key": "name", - "memory": {"inactive_file": 851968, "limit": 16421228544, "usage": 8855552}, - "memory_inactive_file": 851968, + "memory": {"inactive_file": 593920, "limit": 16421228544, "usage": 9863168}, + "memory_inactive_file": 593920, "memory_limit": 16421228544, "memory_percent": None, - "memory_usage": 8855552, + "memory_usage": 9863168, "name": "nats-for-glances", - "network": {"cumulative_rx": 222095, "cumulative_tx": 0}, + "network": {"cumulative_rx": 261057, "cumulative_tx": 0}, "network_rx": None, "network_tx": None, "ports": "4222->4222/tcp,6222->6222/tcp,8222->8222/tcp", @@ -483,19 +524,19 @@ Get a specific item when field matches the given value:: "engine": "docker", "id": "5a46c40efc1cf41d855e35617b5b34ba146b78b9f8fd2a07dcfab9cd2a9d673b", "image": ["nats:latest"], - "io": {"cumulative_ior": 14610432, "cumulative_iow": 0}, + "io": {"cumulative_ior": 14958592, "cumulative_iow": 0}, "io_rx": None, "io_wx": None, "key": "name", - "memory": {"inactive_file": 851968, + "memory": {"inactive_file": 593920, "limit": 16421228544, - "usage": 8855552}, - "memory_inactive_file": 851968, + "usage": 9863168}, + "memory_inactive_file": 593920, "memory_limit": 16421228544, "memory_percent": None, - "memory_usage": 8855552, + "memory_usage": 9863168, "name": "nats-for-glances", - "network": {"cumulative_rx": 222095, "cumulative_tx": 0}, + "network": {"cumulative_rx": 261057, "cumulative_tx": 0}, "network_rx": None, "network_tx": None, "ports": "4222->4222/tcp,6222->6222/tcp,8222->8222/tcp", @@ -527,19 +568,19 @@ Get plugin stats:: # curl http://localhost:61208/api/4/cpu {"cpucore": 16, - "ctx_switches": 973405916, + "ctx_switches": 997823388, "guest": 0.0, - "idle": 89.1, - "interrupts": 633974466, - "iowait": 0.3, + "idle": 89.0, + "interrupts": 647828831, + "iowait": 0.5, "irq": 0.0, "nice": 0.0, - "soft_interrupts": 269022438, + "soft_interrupts": 276165769, "steal": 0.0, "syscalls": 0, - "system": 4.2, - "total": 10.1, - "user": 6.3} + "system": 6.0, + "total": 10.8, + "user": 4.5} Fields descriptions: @@ -575,7 +616,7 @@ Fields descriptions: Get a specific field:: # curl http://localhost:61208/api/4/cpu/total - {"total": 10.1} + {"total": 10.8} GET diskio ---------- @@ -585,14 +626,14 @@ Get plugin stats:: # curl http://localhost:61208/api/4/diskio [{"disk_name": "nvme0n1", "key": "disk_name", - "read_bytes": 42571500032, - "read_count": 1718035, + "read_bytes": 43737659904, + "read_count": 1758878, "read_latency": 0, - "read_time": 638267, - "write_bytes": 178574345216, - "write_count": 5767536, + "read_time": 663425, + "write_bytes": 179718235136, + "write_count": 5826187, "write_latency": 0, - "write_time": 9640249}, + "write_time": 9756980}, {"disk_name": "nvme0n1p1", "key": "disk_name", "read_bytes": 18477056, @@ -644,22 +685,39 @@ Get a specific item when field matches the given value:: # curl http://localhost:61208/api/4/diskio/disk_name/value/nvme0n1 {"nvme0n1": [{"disk_name": "nvme0n1", "key": "disk_name", - "read_bytes": 42571500032, - "read_count": 1718035, + "read_bytes": 43737659904, + "read_count": 1758878, "read_latency": 0, - "read_time": 638267, - "write_bytes": 178574345216, - "write_count": 5767536, + "read_time": 663425, + "write_bytes": 179718235136, + "write_count": 5826187, "write_latency": 0, - "write_time": 9640249}]} + "write_time": 9756980}]} GET folders ----------- Get plugin stats:: # curl http://localhost:61208/api/4/folders - [] + [{"careful": "2500", + "critical": "3500", + "errno": 0, + "indice": "1", + "key": "path", + "path": "/home/nicolargo/tmp", + "refresh": 60, + "size": 1318507651, + "warning": "3000"}, + {"careful": None, + "critical": "20000", + "errno": 0, + "indice": "2", + "key": "path", + "path": "/home/nicolargo/ISOs", + "refresh": 30, + "size": 20338157568, + "warning": "17000"}] Fields descriptions: @@ -671,22 +729,42 @@ Fields descriptions: * **warning**: Warning threshold in MB (unit is *megabyte*) * **critical**: Critical threshold in MB (unit is *megabyte*) +Get a specific field:: + + # curl http://localhost:61208/api/4/folders/path + {"path": ["/home/nicolargo/tmp", "/home/nicolargo/ISOs", "/nonexisting"]} + +Get a specific item when field matches the given value:: + + # curl http://localhost:61208/api/4/folders/path/value//home/nicolargo/tmp + {"/home/nicolargo/tmp": [{"careful": "2500", + "critical": "3500", + "errno": 0, + "indice": "1", + "key": "path", + "path": "/home/nicolargo/tmp", + "refresh": 60, + "size": 1318507651, + "warning": "3000"}]} + GET fs ------ Get plugin stats:: # curl http://localhost:61208/api/4/fs - [{"device_name": "/dev/mapper/ubuntu--vg-ubuntu--lv", - "free": 554497273856, + [{"alias": "Root", + "device_name": "/dev/mapper/ubuntu--vg-ubuntu--lv", + "free": 554485317632, "fs_type": "ext4", "key": "mnt_point", "mnt_point": "/", "options": "rw,relatime", "percent": 41.8, "size": 1003736440832, - "used": 398176661504}, - {"device_name": "zsfpool", + "used": 398188617728}, + {"alias": "ZFS", + "device_name": "zsfpool", "free": 41680896, "fs_type": "zfs", "key": "mnt_point", @@ -715,15 +793,16 @@ Get a specific field:: Get a specific item when field matches the given value:: # curl http://localhost:61208/api/4/fs/mnt_point/value// - {"/": [{"device_name": "/dev/mapper/ubuntu--vg-ubuntu--lv", - "free": 554497273856, + {"/": [{"alias": "Root", + "device_name": "/dev/mapper/ubuntu--vg-ubuntu--lv", + "free": 554485317632, "fs_type": "ext4", "key": "mnt_point", "mnt_point": "/", "options": "rw,relatime", "percent": 41.8, "size": 1003736440832, - "used": 398176661504}]} + "used": 398188617728}]} GET gpu ------- @@ -785,7 +864,11 @@ GET ip Get plugin stats:: # curl http://localhost:61208/api/4/ip - {"address": "172.17.0.1", "mask": "255.255.0.0", "mask_cidr": 16} + {"address": "172.17.0.1", + "mask": "255.255.0.0", + "mask_cidr": 16, + "public_address": "91.166.228.228", + "public_info_human": "Europe/France/Roquefort-les-Pins"} Fields descriptions: @@ -821,9 +904,9 @@ Get plugin stats:: # curl http://localhost:61208/api/4/load {"cpucore": 16, - "min1": 1.6826171875, - "min15": 0.38720703125, - "min5": 0.71142578125} + "min1": 2.14013671875, + "min15": 0.85009765625, + "min5": 1.224609375} Fields descriptions: @@ -838,27 +921,27 @@ Fields descriptions: Get a specific field:: # curl http://localhost:61208/api/4/load/min1 - {"min1": 1.6826171875} + {"min1": 2.14013671875} GET mem ------- Get plugin stats:: # curl http://localhost:61208/api/4/mem - {"active": 5975076864, - "available": 2392299512, - "buffers": 112832512, - "cached": 3194370168, - "free": 242176000, - "inactive": 8398368768, - "percent": 85.4, - "percent_max": 85.4, - "percent_mean": 85.4, - "percent_min": 85.4, - "shared": 1140588544, + {"active": 5337784320, + "available": 2329049080, + "buffers": 49827840, + "cached": 2751678584, + "free": 183627776, + "inactive": 9234456576, + "percent": 85.8, + "percent_max": 85.8, + "percent_mean": 85.8, + "percent_min": 85.8, + "shared": 1099100160, "total": 16421228544, - "used": 14028929032} + "used": 14092179464} Fields descriptions: @@ -888,13 +971,13 @@ GET memswap Get plugin stats:: # curl http://localhost:61208/api/4/memswap - {"free": 110592, + {"free": 204800, "percent": 100.0, - "sin": 3000950784, - "sout": 8995168256, + "sin": 3011534848, + "sout": 9006145536, "time_since_update": 1, "total": 4294963200, - "used": 4294852608} + "used": 4294758400} Fields descriptions: @@ -917,34 +1000,34 @@ GET network Get plugin stats:: # curl http://localhost:61208/api/4/network - [{"alias": None, + [{"alias": "WIFI", "bytes_all": 0, - "bytes_all_gauge": 10844250261, + "bytes_all_gauge": 10955675003, "bytes_all_rate_per_sec": 0, "bytes_recv": 0, - "bytes_recv_gauge": 9901932767, + "bytes_recv_gauge": 9993045495, "bytes_recv_rate_per_sec": 0, "bytes_sent": 0, - "bytes_sent_gauge": 942317494, + "bytes_sent_gauge": 962629508, "bytes_sent_rate_per_sec": 0, "interface_name": "wlp0s20f3", "key": "interface_name", "speed": 0, - "time_since_update": 0.35176944732666016}, + "time_since_update": 6.7519354820251465}, {"alias": None, "bytes_all": 0, - "bytes_all_gauge": 343281, + "bytes_all_gauge": 394805, "bytes_all_rate_per_sec": 0, "bytes_recv": 0, - "bytes_recv_gauge": 39512, + "bytes_recv_gauge": 45624, "bytes_recv_rate_per_sec": 0, "bytes_sent": 0, - "bytes_sent_gauge": 303769, + "bytes_sent_gauge": 349181, "bytes_sent_rate_per_sec": 0, "interface_name": "veth65928bd", "key": "interface_name", "speed": 10485760000, - "time_since_update": 0.35176944732666016}] + "time_since_update": 6.7519354820251465}] Fields descriptions: @@ -971,28 +1054,28 @@ Get a specific field:: Get a specific item when field matches the given value:: # curl http://localhost:61208/api/4/network/interface_name/value/wlp0s20f3 - {"wlp0s20f3": [{"alias": None, + {"wlp0s20f3": [{"alias": "WIFI", "bytes_all": 0, - "bytes_all_gauge": 10844250261, + "bytes_all_gauge": 10955675003, "bytes_all_rate_per_sec": 0, "bytes_recv": 0, - "bytes_recv_gauge": 9901932767, + "bytes_recv_gauge": 9993045495, "bytes_recv_rate_per_sec": 0, "bytes_sent": 0, - "bytes_sent_gauge": 942317494, + "bytes_sent_gauge": 962629508, "bytes_sent_rate_per_sec": 0, "interface_name": "wlp0s20f3", "key": "interface_name", "speed": 0, - "time_since_update": 0.35176944732666016}]} + "time_since_update": 6.7519354820251465}]} GET now ------- Get plugin stats:: # curl http://localhost:61208/api/4/now - {"custom": "2026-03-14 13:45:17 CET", "iso": "2026-03-14T13:45:17+01:00"} + {"custom": "2026-03-14 14:50:12 CET", "iso": "2026-03-14T14:50:12+01:00"} Fields descriptions: @@ -1002,7 +1085,7 @@ Fields descriptions: Get a specific field:: # curl http://localhost:61208/api/4/now/iso - {"iso": "2026-03-14T13:45:17+01:00"} + {"iso": "2026-03-14T14:50:12+01:00"} GET npu ------- @@ -1036,31 +1119,31 @@ Get plugin stats:: "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 26.0, + "idle": 57.0, "interrupt": None, "iowait": 0.0, "irq": 0.0, "key": "cpu_number", "nice": 0.0, - "softirq": 0.0, + "softirq": 1.0, "steal": 0.0, - "system": 4.0, - "total": 74.0, + "system": 13.0, + "total": 43.0, "user": 1.0}, {"cpu_number": 1, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 32.0, + "idle": 71.0, "interrupt": None, - "iowait": 0.0, + "iowait": 1.0, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, "system": 0.0, - "total": 68.0, + "total": 29.0, "user": 1.0}] Fields descriptions: @@ -1094,10 +1177,11 @@ Get plugin stats:: [{"description": "DefaultGateway", "host": "192.168.0.254", "indice": "port_0", + "key": "indice", "port": 0, "refresh": 30, "rtt_warning": None, - "status": 0.031126, + "status": 0.042803, "timeout": 3}] Fields descriptions: @@ -1113,28 +1197,29 @@ Fields descriptions: Get a specific field:: - # curl http://localhost:61208/api/4/ports/host - {"host": ["192.168.0.254"]} + # curl http://localhost:61208/api/4/ports/indice + {"indice": ["port_0"]} Get a specific item when field matches the given value:: - # curl http://localhost:61208/api/4/ports/host/value/192.168.0.254 - {"192.168.0.254": [{"description": "DefaultGateway", - "host": "192.168.0.254", - "indice": "port_0", - "port": 0, - "refresh": 30, - "rtt_warning": None, - "status": 0.031126, - "timeout": 3}]} + # curl http://localhost:61208/api/4/ports/indice/value/port_0 + {"port_0": [{"description": "DefaultGateway", + "host": "192.168.0.254", + "indice": "port_0", + "key": "indice", + "port": 0, + "refresh": 30, + "rtt_warning": None, + "status": 0.042803, + "timeout": 3}]} GET processcount ---------------- Get plugin stats:: # curl http://localhost:61208/api/4/processcount - {"pid_max": 0, "running": 1, "sleeping": 470, "thread": 2804, "total": 645} + {"pid_max": 0, "running": 1, "sleeping": 468, "thread": 2748, "total": 613} Fields descriptions: @@ -1147,7 +1232,7 @@ Fields descriptions: Get a specific field:: # curl http://localhost:61208/api/4/processcount/total - {"total": 645} + {"total": 613} GET processlist --------------- @@ -1178,35 +1263,36 @@ Get plugin stats:: "--enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EarlyEstablishGpuChannel,EstablishGpuChannelAsync", "--disable-features=CalculateNativeWinOcclusion,FontationsLinuxSystemFonts,ScreenAIOCREnabled,SpareRendererForSitePerProcess", "--variations-seed-version"], + "cpu_num": 10, "cpu_percent": 0.0, - "cpu_times": {"children_system": 195.1, - "children_user": 170.18, + "cpu_times": {"children_system": 233.74, + "children_user": 192.62, "iowait": 0.0, - "system": 214.52, - "user": 380.79}, + "system": 260.09, + "user": 437.48}, "gids": {"effective": 1000, "real": 1000, "saved": 1000}, - "io_counters": [662939648, - 137199616, + "io_counters": [703946752, + 137662464, 0, 0, 0, - 1110652928, - 201146368, + 1112307712, + 201412608, 0, 0, 0, - 134029312, + 158925824, 45056, 0, 0, 0, - 506602496, + 572149760, 385024, 0, 0, 0, - 841250816, - 145911808, + 843408384, + 146104320, 0, 0, 0, @@ -1215,23 +1301,23 @@ Get plugin stats:: 0, 0, 0, - 19957760, - 20480, + 1926392832, + 488689664, 0, 0, 0, - 577536, + 19957760, + 20480, 0, 0, 0, + 577536, 0, - 1867092992, - 487763968, 0, 0, 0, - 161910784, - 3064524800, + 177161216, + 3064586240, 0, 0, 0, @@ -1240,12 +1326,12 @@ Get plugin stats:: 0, 0, 0, - 42046464, + 42729472, 0, 0, 0, 0, - 5644288, + 5967872, 0, 0, 0, @@ -1260,23 +1346,23 @@ Get plugin stats:: 0, 0, 0, - 3366912, + 34765824, 0, 0, 0, 0, - 33713152, + 3366912, 0, 0, 0, 0, - 23598080, + 23630848, 172032, 0, 0, 0, - 51042304, - 28667904, + 60663808, + 29491200, 0, 0, 0, @@ -1291,65 +1377,76 @@ Get plugin stats:: 0, 0], "key": "pid", - "memory_info": {"data": 2271150080, + "memory_info": {"data": 2278105088, "dirty": 0, "lib": 0, - "rss": 1060003840, - "shared": 39776256, + "rss": 1037148160, + "shared": 25309184, "text": 148733952, "vms": 1498174038016}, - "memory_percent": 6.455082438928146, + "memory_percent": 6.315898699180786, "name": "code", "nice": 0, "num_threads": 22, "pid": 1137955, "status": "S", "time_since_update": 1, "username": "nicolargo"}, - {"cmdline": ["/proc/self/exe", - "--type=utility", - "--utility-sub-type=node.mojom.NodeService", - "--lang=en-US", - "--service-sandbox-type=none", - "--no-sandbox", - "--dns-result-order=ipv4first", - "--experimental-network-inspection", - "--inspect-port=0", - "--crashpad-handler-pid=9344", - "--enable-crash-reporter=864d4bb7-dd20-4851-830f-29e81dd93517,no_channel", - "--user-data-dir=/home/nicolargo/.config/Code", - "--standard-schemes=vscode-webview,vscode-file", - "--secure-schemes=vscode-webview,vscode-file", - "--cors-schemes=vscode-webview,vscode-file", - "--fetch-schemes=vscode-webview,vscode-file", - "--service-worker-schemes=vscode-webview", - "--code-cache-schemes=vscode-webview,vscode-file", - "--shared-files=v8_context_snapshot_data:100", - "--field-trial-handle=3,i,14671767833276363776,4659770901268553168,262144", - "--enable-features=DocumentPolicyIncludeJSCallStacksInCrashReports,EarlyEstablishGpuChannel,EstablishGpuChannelAsync", - "--disable-features=CalculateNativeWinOcclusion,FontationsLinuxSystemFonts,ScreenAIOCREnabled,SpareRendererForSitePerProcess", - "--variations-seed-version"], + {"cmdline": ["/snap/firefox/7967/usr/lib/firefox/firefox", + "-contentproc", + "-isForBrowser", + "-prefsHandle", + "0:41848", + "-prefMapHandle", + "1:282338", + "-jsInitHandle", + "2:227672", + "-parentBuildID", + "20260309231353", + "-sandboxReporter", + "3", + "-chrootClient", + "4", + "-ipcHandle", + "5", + "-initialChannelId", + "{7845bf51-8820-4f85-9350-bc277caf33af}", + "-parentPid", + "982326", + "-crashReporter", + "6", + "-crashHelper", + "7", + "-greomni", + "/snap/firefox/7967/usr/lib/firefox/omni.ja", + "-appomni", + "/snap/firefox/7967/usr/lib/firefox/browser/omni.ja", + "-appDir", + "/snap/firefox/7967/usr/lib/firefox/browser", + "3", + "tab"], + "cpu_num": 13, "cpu_percent": 0.0, - "cpu_times": {"children_system": 270.66, - "children_user": 724.39, + "cpu_times": {"children_system": 0.0, + "children_user": 0.0, "iowait": 0.0, - "system": 508.12, - "user": 1213.25}, + "system": 57.45, + "user": 370.93}, "gids": {"effective": 1000, "real": 1000, "saved": 1000}, - "io_counters": [1110652928, 201146368, 0, 0, 0], + "io_counters": [8265728, 0, 0, 0, 0], "key": "pid", - "memory_info": {"data": 2341564416, + "memory_info": {"data": 1034534912, "dirty": 0, "lib": 0, - "rss": 739160064, - "shared": 23785472, - "text": 148733952, - "vms": 1498177716224}, - "memory_percent": 4.5012470414101555, - "name": "code", + "rss": 751529984, + "shared": 87334912, + "text": 659456, + "vms": 25394700288}, + "memory_percent": 4.57657587546697, + "name": "WebExtensions", "nice": 0, - "num_threads": 22, - "pid": 381638, + "num_threads": 28, + "pid": 982671, "status": "S", "time_since_update": 1, "username": "nicolargo"}] @@ -1383,49 +1480,49 @@ Get plugin stats:: 9438, 9549, 1139810, + 9326, 1139213, 1139809, - 9326, 9525, 1293449, 1137956, 1139772, 1139793, 1139828, - 1138830, 9491, + 1138830, 9898, 9397, 9329, 9328], "cmdline": ["code"], "cpu_percent": 0, - "cpu_times": {"children_system": 1711.7799999999997, - "children_user": 2785.2999999999993, - "system": 1702.5900000000004, - "user": 8062.970000000001}, - "io_counters": [662939648, - 137199616, + "cpu_times": {"children_system": 1750.4199999999998, + "children_user": 2807.7399999999993, + "system": 1783.75, + "user": 8204.54}, + "io_counters": [703946752, + 137662464, 0, 0, 0, - 1110652928, - 201146368, + 1112307712, + 201412608, 0, 0, 0, - 134029312, + 158925824, 45056, 0, 0, 0, - 506602496, + 572149760, 385024, 0, 0, 0, - 841250816, - 145911808, + 843408384, + 146104320, 0, 0, 0, @@ -1434,23 +1531,23 @@ Get plugin stats:: 0, 0, 0, - 19957760, - 20480, + 1926392832, + 488689664, 0, 0, 0, - 577536, + 19957760, + 20480, 0, 0, 0, + 577536, 0, - 1867092992, - 487763968, 0, 0, 0, - 161910784, - 3064524800, + 177161216, + 3064586240, 0, 0, 0, @@ -1459,12 +1556,12 @@ Get plugin stats:: 0, 0, 0, - 42046464, + 42729472, 0, 0, 0, 0, - 5644288, + 5967872, 0, 0, 0, @@ -1479,23 +1576,23 @@ Get plugin stats:: 0, 0, 0, - 3366912, + 34765824, 0, 0, 0, 0, - 33713152, + 3366912, 0, 0, 0, 0, - 23598080, + 23630848, 172032, 0, 0, 0, - 51042304, - 28667904, + 60663808, + 29491200, 0, 0, 0, @@ -1509,12 +1606,12 @@ Get plugin stats:: 0, 0, 0], - "memory_info": {"data": 19039903744, - "rss": 4876546048, - "shared": 669212672, + "memory_info": {"data": 19041615872, + "rss": 4676952064, + "shared": 487407616, "text": 3123412992, - "vms": 25591723704320}, - "memory_percent": 29.696596907676533, + "vms": 25591704264704}, + "memory_percent": 28.481133743850528, "name": "code", "nice": 0, "nprocs": 21, @@ -1523,27 +1620,27 @@ Get plugin stats:: "status": "S", "time_since_update": 1, "username": "nicolargo"}, - {"childrens": [982326], - "cmdline": ["firefox"], + {"childrens": [982671], + "cmdline": ["WebExtensions"], "cpu_percent": 0, - "cpu_times": {"children_system": 0.94, - "children_user": 0.18, + "cpu_times": {"children_system": 0.0, + "children_user": 0.0, "iowait": 0.0, - "system": 488.75, - "user": 1670.95}, - "io_counters": [1471509504, 2454671360, 0, 0, 0], - "memory_info": {"data": 1026658304, + "system": 57.45, + "user": 370.93}, + "io_counters": [8265728, 0, 0, 0, 0], + "memory_info": {"data": 1034534912, "dirty": 0, "lib": 0, - "rss": 696991744, - "shared": 175570944, + "rss": 751529984, + "shared": 87334912, "text": 659456, - "vms": 30113456128}, - "memory_percent": 4.244455535908532, - "name": "firefox", + "vms": 25394700288}, + "memory_percent": 4.57657587546697, + "name": "WebExtensions", "nice": 0, "nprocs": 1, - "num_threads": 138, + "num_threads": 28, "pid": "_", "status": "S", "time_since_update": 1, @@ -1580,254 +1677,254 @@ GET quicklook Get plugin stats:: # curl http://localhost:61208/api/4/quicklook - {"cpu": 10.1, + {"cpu": 10.2, "cpu_hz": 4475000000.0, - "cpu_hz_current": 1565936437.5, + "cpu_hz_current": 768356625.0, "cpu_log_core": 16, "cpu_name": "13th Gen Intel(R) Core(TM) i7-13620H", "cpu_phys_core": 10, - "load": 2.4, - "mem": 85.4, + "load": 5.3, + "mem": 85.7, "percpu": [{"cpu_number": 0, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 26.0, + "idle": 92.6, "interrupt": None, - "iowait": 0.0, + "iowait": 0.4, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 4.0, - "total": 74.0, - "user": 1.0}, + "system": 4.4, + "total": 7.4, + "user": 2.6}, {"cpu_number": 1, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 32.0, + "idle": 95.2, "interrupt": None, "iowait": 0.0, "irq": 0.0, "key": "cpu_number", "nice": 0.0, - "softirq": 0.0, + "softirq": 0.1, "steal": 0.0, - "system": 0.0, - "total": 68.0, - "user": 1.0}, + "system": 0.9, + "total": 4.8, + "user": 3.8}, {"cpu_number": 2, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 31.0, + "idle": 89.7, "interrupt": None, - "iowait": 0.0, + "iowait": 0.9, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 0.0, - "total": 69.0, - "user": 2.0}, + "system": 6.3, + "total": 10.3, + "user": 3.1}, {"cpu_number": 3, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 33.0, + "idle": 97.0, "interrupt": None, - "iowait": 0.0, + "iowait": 0.2, "irq": 0.0, "key": "cpu_number", "nice": 0.0, - "softirq": 0.0, + "softirq": 0.1, "steal": 0.0, - "system": 0.0, - "total": 67.0, - "user": 0.0}, + "system": 1.1, + "total": 3.0, + "user": 1.5}, {"cpu_number": 4, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 28.0, + "idle": 65.0, "interrupt": None, - "iowait": 0.0, + "iowait": 3.8, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 2.0, - "total": 72.0, - "user": 2.0}, + "system": 20.9, + "total": 35.0, + "user": 10.3}, {"cpu_number": 5, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 33.0, + "idle": 88.4, "interrupt": None, - "iowait": 0.0, + "iowait": 1.0, "irq": 0.0, "key": "cpu_number", "nice": 0.0, - "softirq": 0.0, + "softirq": 0.1, "steal": 0.0, - "system": 1.0, - "total": 67.0, - "user": 0.0}, + "system": 5.6, + "total": 11.6, + "user": 4.9}, {"cpu_number": 6, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 32.0, + "idle": 58.6, "interrupt": None, - "iowait": 0.0, + "iowait": 4.2, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 0.0, - "total": 68.0, - "user": 2.0}, + "system": 25.8, + "total": 41.4, + "user": 11.5}, {"cpu_number": 7, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 10.0, + "idle": 88.4, "interrupt": None, - "iowait": 1.0, + "iowait": 0.4, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 13.0, - "total": 90.0, - "user": 10.0}, + "system": 1.6, + "total": 11.6, + "user": 9.6}, {"cpu_number": 8, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 29.0, + "idle": 81.4, "interrupt": None, - "iowait": 0.0, + "iowait": 2.3, "irq": 0.0, "key": "cpu_number", "nice": 0.0, - "softirq": 1.0, + "softirq": 0.1, "steal": 0.0, - "system": 1.0, - "total": 71.0, - "user": 3.0}, + "system": 10.7, + "total": 18.6, + "user": 5.5}, {"cpu_number": 9, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 34.0, + "idle": 96.8, "interrupt": None, - "iowait": 0.0, + "iowait": 0.1, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 0.0, - "total": 66.0, - "user": 0.0}, + "system": 1.1, + "total": 3.2, + "user": 2.0}, {"cpu_number": 10, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 30.0, + "idle": 84.7, "interrupt": None, - "iowait": 0.0, + "iowait": 2.0, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 1.0, - "total": 70.0, - "user": 1.0}, + "system": 6.8, + "total": 15.3, + "user": 6.5}, {"cpu_number": 11, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 34.0, + "idle": 97.3, "interrupt": None, "iowait": 0.0, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 0.0, - "total": 66.0, - "user": 0.0}, + "system": 1.7, + "total": 2.7, + "user": 1.0}, {"cpu_number": 12, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 31.0, + "idle": 91.8, "interrupt": None, - "iowait": 0.0, + "iowait": 0.5, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 1.0, - "total": 69.0, - "user": 1.0}, + "system": 4.4, + "total": 8.2, + "user": 3.3}, {"cpu_number": 13, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 32.0, + "idle": 93.3, "interrupt": None, - "iowait": 0.0, + "iowait": 0.2, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 1.0, - "total": 68.0, - "user": 1.0}, + "system": 3.5, + "total": 6.7, + "user": 3.0}, {"cpu_number": 14, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 32.0, + "idle": 94.8, "interrupt": None, - "iowait": 0.0, + "iowait": 0.1, "irq": 0.0, "key": "cpu_number", "nice": 0.0, "softirq": 0.0, "steal": 0.0, - "system": 1.0, - "total": 68.0, - "user": 1.0}, + "system": 2.4, + "total": 5.2, + "user": 2.6}, {"cpu_number": 15, "dpc": None, "guest": 0.0, "guest_nice": 0.0, - "idle": 32.0, + "idle": 95.3, "interrupt": None, - "iowait": 0.0, + "iowait": 0.2, "irq": 0.0, "key": "cpu_number", "nice": 0.0, - "softirq": 0.0, + "softirq": 0.1, "steal": 0.0, - "system": 0.0, - "total": 68.0, - "user": 1.0}], + "system": 2.5, + "total": 4.7, + "user": 1.9}], "swap": 100.0} Fields descriptions: @@ -1863,18 +1960,18 @@ Get plugin stats:: # curl http://localhost:61208/api/4/sensors [{"critical": None, "key": "label", - "label": "Ambient", + "label": "CPU", "type": "temperature_core", "unit": "C", - "value": 32, + "value": 46, "warning": 0}, {"critical": None, "key": "label", - "label": "Ambient 3", + "label": "GPU", "type": "temperature_core", "unit": "C", - "value": 31, - "warning": 0}] + "value": 45, + "warning": None}] Fields descriptions: @@ -1888,57 +1985,28 @@ Fields descriptions: Get a specific field:: # curl http://localhost:61208/api/4/sensors/label - {"label": ["Ambient", - "Ambient 3", - "Ambient 5", - "Ambient 6", - "CPU", - "Composite", - "Core 0", - "Core 4", - "Core 8", - "Core 12", - "Core 16", - "Core 20", - "Core 28", - "Core 29", - "Core 30", - "Core 31", + {"label": ["CPU", + "GPU", "HDD", - "Package id 0", + "NVME", "SODIMM", - "Sensor 1", - "Sensor 2", - "dell_smm 0", - "dell_smm 1", - "dell_smm 2", - "dell_smm 3", - "dell_smm 4", - "dell_smm 5", - "dell_smm 6", - "dell_smm 7", - "dell_smm 8", - "dell_smm 9", - "i915 0", - "iwlwifi_1 0", + "Wifi", "temp", "CPU Fan", + "GPU", "Video Fan", - "dell_smm 0", - "dell_smm 1", - "i915 0", - "BAT BAT0"]} + "Battery"]} Get a specific item when field matches the given value:: - # curl http://localhost:61208/api/4/sensors/label/value/Ambient - {"Ambient": [{"critical": None, - "key": "label", - "label": "Ambient", - "type": "temperature_core", - "unit": "C", - "value": 32, - "warning": 0}]} + # curl http://localhost:61208/api/4/sensors/label/value/CPU + {"CPU": [{"critical": None, + "key": "label", + "label": "CPU", + "type": "temperature_core", + "unit": "C", + "value": 46, + "warning": 0}]} GET smart --------- @@ -1981,7 +2049,7 @@ GET uptime Get plugin stats:: # curl http://localhost:61208/api/4/uptime - "20 days, 2:21:58" + "20 days, 3:26:52" GET version ----------- @@ -1997,7 +2065,7 @@ GET vms Get plugin stats:: # curl http://localhost:61208/api/4/vms - {} + [] Fields descriptions: @@ -2026,8 +2094,8 @@ Get plugin stats:: # curl http://localhost:61208/api/4/wifi [{"key": "ssid", - "quality_level": -69.0, - "quality_link": 41.0, + "quality_level": -73.0, + "quality_link": 37.0, "ssid": "wlp0s20f3"}] Get a specific field:: @@ -2039,8 +2107,8 @@ Get a specific item when field matches the given value:: # curl http://localhost:61208/api/4/wifi/ssid/value/wlp0s20f3 {"wlp0s20f3": [{"key": "ssid", - "quality_level": -69.0, - "quality_link": 41.0, + "quality_level": -73.0, + "quality_link": 37.0, "ssid": "wlp0s20f3"}]} GET all stats @@ -2104,34 +2172,34 @@ GET stats history History of a plugin:: # curl http://localhost:61208/api/4/cpu/history - {"system": [["2026-03-14T12:45:18.228958+00:00", 4.2], - ["2026-03-14T12:45:19.343125+00:00", 3.0], - ["2026-03-14T12:45:20.380153+00:00", 3.0]], - "user": [["2026-03-14T12:45:18.228955+00:00", 6.3], - ["2026-03-14T12:45:19.343118+00:00", 8.0], - ["2026-03-14T12:45:20.380148+00:00", 8.0]]} + {"system": [["2026-03-14T13:50:18.209800+00:00", 4.9], + ["2026-03-14T13:50:19.511970+00:00", 4.9], + ["2026-03-14T13:50:21.832870+00:00", 3.3]], + "user": [["2026-03-14T13:50:18.209793+00:00", 3.9], + ["2026-03-14T13:50:19.511967+00:00", 3.9], + ["2026-03-14T13:50:21.832865+00:00", 4.0]]} Limit history to last 2 values:: # curl http://localhost:61208/api/4/cpu/history/2 - {"system": [["2026-03-14T12:45:19.343125+00:00", 3.0], - ["2026-03-14T12:45:20.380153+00:00", 3.0]], - "user": [["2026-03-14T12:45:19.343118+00:00", 8.0], - ["2026-03-14T12:45:20.380148+00:00", 8.0]]} + {"system": [["2026-03-14T13:50:19.511970+00:00", 4.9], + ["2026-03-14T13:50:21.832870+00:00", 3.3]], + "user": [["2026-03-14T13:50:19.511967+00:00", 3.9], + ["2026-03-14T13:50:21.832865+00:00", 4.0]]} History for a specific field:: # curl http://localhost:61208/api/4/cpu/system/history - {"system": [["2026-03-14T12:45:17.027039+00:00", 4.2], - ["2026-03-14T12:45:18.228958+00:00", 4.2], - ["2026-03-14T12:45:19.343125+00:00", 3.0], - ["2026-03-14T12:45:20.380153+00:00", 3.0]]} + {"system": [["2026-03-14T13:50:12.267581+00:00", 6.0], + ["2026-03-14T13:50:18.209800+00:00", 4.9], + ["2026-03-14T13:50:19.511970+00:00", 4.9], + ["2026-03-14T13:50:21.832870+00:00", 3.3]]} Limit history for a specific field to last 2 values:: # curl http://localhost:61208/api/4/cpu/system/history - {"system": [["2026-03-14T12:45:19.343125+00:00", 3.0], - ["2026-03-14T12:45:20.380153+00:00", 3.0]]} + {"system": [["2026-03-14T13:50:19.511970+00:00", 4.9], + ["2026-03-14T13:50:21.832870+00:00", 3.3]]} GET limits (used for thresholds) -------------------------------- @@ -2141,6 +2209,11 @@ All limits/thresholds:: # curl http://localhost:61208/api/4/all/limits {"alert": {"alert_disable": ["False"], "history_size": 1200.0}, "amps": {"amps_disable": ["False"], "history_size": 1200.0}, + "connections": {"connections_disable": ["False"], + "connections_nf_conntrack_percent_careful": 70.0, + "connections_nf_conntrack_percent_critical": 90.0, + "connections_nf_conntrack_percent_warning": 80.0, + "history_size": 1200.0}, "containers": {"containers_all": ["False"], "containers_disable": ["False"], "containers_disable_stats": ["command"], @@ -2171,17 +2244,29 @@ All limits/thresholds:: "cpu_user_warning": 70.0, "history_size": 1200.0}, "diskio": {"diskio_disable": ["False"], + "diskio_dm-0_rx_careful": 4000000000.0, + "diskio_dm-0_rx_critical": 6000000000.0, + "diskio_dm-0_rx_warning": 5000000000.0, + "diskio_dm-0_tx_careful": 700000000.0, + "diskio_dm-0_tx_critical": 1000000000.0, + "diskio_dm-0_tx_warning": 900000000.0, "diskio_hide": ["loop.*", "/dev/loop.*"], - "diskio_hide_zero": ["False"], - "diskio_rx_latency_careful": 10.0, - "diskio_rx_latency_critical": 50.0, - "diskio_rx_latency_warning": 20.0, - "diskio_tx_latency_careful": 10.0, - "diskio_tx_latency_critical": 50.0, - "diskio_tx_latency_warning": 20.0, + "diskio_hide_threshold_bytes": 0.0, + "diskio_hide_zero": ["True"], "history_size": 1200.0}, - "folders": {"folders_disable": ["False"], "history_size": 1200.0}, - "fs": {"fs_careful": 50.0, + "folders": {"folders_disable": ["False"], + "folders_folder_1_careful": 2500.0, + "folders_folder_1_critical": 3500.0, + "folders_folder_1_path": ["/home/nicolargo/tmp"], + "folders_folder_1_refresh": 60.0, + "folders_folder_1_warning": 3000.0, + "folders_folder_2_critical": 20000.0, + "folders_folder_2_path": ["/home/nicolargo/ISOs"], + "folders_folder_2_warning": 17000.0, + "folders_folder_3_path": ["/nonexisting"], + "history_size": 1200.0}, + "fs": {"fs_alias": ["/:Root", "/zsfpool:ZFS"], + "fs_careful": 50.0, "fs_critical": 90.0, "fs_disable": ["False"], "fs_hide": ["/boot.*", ".*/snap.*"], @@ -2202,7 +2287,7 @@ All limits/thresholds:: "ip": {"history_size": 1200.0, "ip_disable": ["False"], "ip_public_api": ["https://ipv4.ipleak.net/json/"], - "ip_public_disabled": ["True"], + "ip_public_disabled": ["False"], "ip_public_field": ["ip"], "ip_public_refresh_interval": 300.0, "ip_public_template": ["{continent_name}/{country_name}/{city_name}"]}, @@ -2222,18 +2307,21 @@ All limits/thresholds:: "memswap_disable": ["False"], "memswap_warning": 70.0}, "network": {"history_size": 1200.0, + "network_alias": ["wlp0s20f3:WIFI"], "network_disable": ["False"], "network_hide": ["docker.*", "lo"], "network_hide_no_ip": ["True"], "network_hide_no_up": ["True"], - "network_hide_zero": ["False"], + "network_hide_threshold_bytes": 0.0, + "network_hide_zero": ["True"], "network_rx_careful": 70.0, "network_rx_critical": 90.0, "network_rx_warning": 80.0, "network_tx_careful": 70.0, "network_tx_critical": 90.0, "network_tx_warning": 80.0}, "now": {"history_size": 1200.0}, + "npu": {"history_size": 1200.0}, "percpu": {"history_size": 1200.0, "percpu_disable": ["False"], "percpu_iowait_careful": 50.0, @@ -2257,7 +2345,6 @@ All limits/thresholds:: "processlist_cpu_critical": 90.0, "processlist_cpu_warning": 70.0, "processlist_disable": ["False"], - "processlist_disable_stats": ["cpu_num"], "processlist_mem_careful": 50.0, "processlist_mem_critical": 90.0, "processlist_mem_warning": 70.0, @@ -2305,7 +2392,7 @@ All limits/thresholds:: "programlist": {"history_size": 1200.0}, "psutilversion": {"history_size": 1200.0}, "quicklook": {"history_size": 1200.0, - "quicklook_bar_char": ["▪"], + "quicklook_bar_char": ["|"], "quicklook_cpu_careful": 50.0, "quicklook_cpu_critical": 90.0, "quicklook_cpu_warning": 70.0, @@ -2320,12 +2407,22 @@ All limits/thresholds:: "quicklook_swap_careful": 50.0, "quicklook_swap_critical": 90.0, "quicklook_swap_warning": 70.0}, + "raid": {"history_size": 1200.0, "raid_disable": ["False"]}, "sensors": {"history_size": 1200.0, + "sensors_alias": ["Composite:NVME", + "Package id 0:Core Pkg", + "iwlwifi_1 0:Wifi", + "BAT BAT0:Battery", + "i915 0:GPU"], "sensors_battery_careful": 70.0, "sensors_battery_critical": 90.0, "sensors_battery_warning": 80.0, "sensors_disable": ["False"], - "sensors_hide": ["unknown.*"], + "sensors_hide": ["unknown.*", + "dell_smm.*", + "core.*", + "sensor.*", + "ambient.*"], "sensors_refresh": 10.0, "sensors_temperature_hdd_careful": 45.0, "sensors_temperature_hdd_critical": 60.0, @@ -2335,6 +2432,10 @@ All limits/thresholds:: "system_refresh": 60}, "uptime": {"history_size": 1200.0}, "version": {"history_size": 1200.0}, + "vms": {"history_size": 1200.0, + "vms_all": ["False"], + "vms_disable": ["False"], + "vms_max_name_size": 20.0}, "wifi": {"history_size": 1200.0, "wifi_careful": -65.0, "wifi_critical": -85.0,
glances/outputs/glances_restful_api.py+14 −2 modified@@ -289,11 +289,23 @@ def __init__(self, config=None, args=None): # FastAPI Enable CORS # https://fastapi.tiangolo.com/tutorial/cors/ + cors_origins = config.get_list_value('outputs', 'cors_origins', default=["*"]) + cors_credentials = config.get_bool_value('outputs', 'cors_credentials', default=False) + + # Reject the insecure wildcard + credentials combination, + # even if the user explicitly sets cors_credentials=True in their config. + if cors_origins == ["*"] and cors_credentials: + logger.warning( + "CORS: allow_origins=['*'] combined with allow_credentials=True is insecure. " + "Disabling credentials. Set explicit cors_origins to enable credentialed requests." + ) + cors_credentials = False + self._app.add_middleware( CORSMiddleware, # Related to https://github.com/nicolargo/glances/issues/2812 - allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]), - allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True), + allow_origins=cors_origins, + allow_credentials=cors_credentials, allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]), allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]), )
glances/outputs/glances_stdout_api_restful_doc.py+25 −0 modified@@ -229,6 +229,31 @@ deployments on non-loopback interfaces, always set ``webui_allowed_hosts`` and consider enabling authentication. +**CORS (Cross-Origin Resource Sharing)** controls which external websites can +make requests to the Glances API from a browser. By default, Glances allows +requests from any origin (``cors_origins=*``) but does **not** allow credentials +(``cors_credentials=False``). This means cross-origin requests work for +unauthenticated API access, but browsers will not send stored credentials +(e.g. Basic Auth) to the API from a third-party page. + +If you need credentialed cross-origin access (e.g. a separate dashboard +application that authenticates to Glances), you **must** configure explicit +origins — the wildcard ``*`` combined with credentials is insecure and will be +automatically rejected: + +.. code-block:: ini + + [outputs] + cors_origins=https://my-dashboard.internal.example.com + cors_credentials=True + +.. warning:: + + Setting ``cors_credentials=True`` with ``cors_origins=*`` is not allowed. + Glances will automatically disable credentials and log a warning if this + combination is detected. This prevents a class of cross-site data theft + attacks where any website could read your monitoring data. + When Glances is started without authentication or without host filtering, warning messages are displayed at startup to remind you of the risks.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9jfm-9rc6-2hfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32610ghsaADVISORY
- github.com/nicolargo/glances/commit/4465169b71d93991f1e49740fe02428291099832ghsax_refsource_MISCWEB
- github.com/nicolargo/glances/releases/tag/v4.5.2ghsax_refsource_MISCWEB
- github.com/nicolargo/glances/security/advisories/GHSA-9jfm-9rc6-2hfqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.