VYPR
Get started
← All advisories
Medium severity6.5NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026

CVE-2026-33533

CVE-2026-33533

Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.3, the Glances XML-RPC server (activated with glances -s or glances --server) sends Access-Control-Allow-Origin: * on every HTTP response. Because the XML-RPC handler does not validate the Content-Type header, an attacker-controlled webpage can issue a CORS "simple request" (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The browser sends the request without a preflight check, the server processes the XML body and returns the full system monitoring dataset, and the wildcard CORS header lets the attacker's JavaScript read the response. The result is complete exfiltration of hostname, OS version, IP addresses, CPU/memory/disk/network stats, and the full process list including command lines (which often contain tokens, passwords, or internal paths). This issue has been patched in version 4.5.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
GlancesPyPI
< 4.5.34.5.3

Affected products

1

Patches

1
dcb39c3f12b2

Merge branch 'advisorie/GHSA-7p93-6934-f4q7' into develop

https://github.com/nicolargo/glancesnicolargoMar 28, 2026via ghsa
commit
3 files changed · +32 5
  • conf/glances.conf+3 2 modified
    @@ -37,8 +37,8 @@ history_size=1200
 # Disable background color
 #disable_bg=True
 #
-# Specifics options for WebUI
-#----------------------------
+# Specifics options for Glances server
+#-------------------------------------
 # Set URL prefix for the WebUI and the API
 # Example: url_prefix=/glances/ => http://localhost/glances/
 # Note: The final / is mandatory
@@ -54,6 +54,7 @@ history_size=1200
 #
 # CORS options
 # Comma separated list of origins that should be permitted to make cross-origin requests.
+# This option is available for both Restful and XML-RPC server
 # Default is *
 #cors_origins=*
 # Indicate that cookies should be supported for cross-origin requests.
  • docker-compose/glances.conf+3 2 modified
    @@ -37,8 +37,8 @@ max_processes_display=25
 # Disable background color
 #disable_bg=True
 #
-# Specifics options for WebUI
-#----------------------------
+# Specifics options for Glances server
+#-------------------------------------
 # Set URL prefix for the WebUI and the API
 # Example: url_prefix=/glances/ => http://localhost/glances/
 # Note: The final / is mandatory
@@ -54,6 +54,7 @@ max_processes_display=25
 #
 # CORS options
 # Comma separated list of origins that should be permitted to make cross-origin requests.
+# This option is available for both Restful and XML-RPC server
 # Default is *
 #cors_origins=*
 # Indicate that cookies should be supported for cross-origin requests.
  • glances/server.py+26 1 modified
    @@ -39,7 +39,9 @@ def end_headers(self):
 
     def send_my_headers(self):
         # Specific header is here (solved the issue #227)
-        self.send_header("Access-Control-Allow-Origin", "*")
+        # Use configurable CORS origins (default: *) read from the server instance
+        cors_origin = getattr(self.server, 'cors_origin', '*')
+        self.send_header("Access-Control-Allow-Origin", cors_origin)
 
     def authenticate(self, headers):
         # auth = headers.get('Authorization')
@@ -98,6 +100,18 @@ def __init__(self, bind_address, bind_port=61209, requestHandler=GlancesXMLRPCHa
         self.bind_address = bind_address
         self.bind_port = bind_port
         self.config = config
+
+        # Read CORS origins from config — same key as the REST API
+        # Default: "*" for backward compatibility
+        if config is not None:
+            cors_origins = config.get_list_value('outputs', 'cors_origins', default=["*"])
+        else:
+            cors_origins = ["*"]
+        # For the XML-RPC handler we emit a single Access-Control-Allow-Origin
+        # header. If the config lists a single explicit origin, use it;
+        # otherwise fall back to "*".
+        self.cors_origin = cors_origins[0] if len(cors_origins) == 1 else "*"
+
         try:
             self.address_family = socket.getaddrinfo(bind_address, bind_port)[0][0]
         except OSError as e:
@@ -195,6 +209,17 @@ def __init__(self, requestHandler=GlancesXMLRPCHandler, config=None, args=None):
         self.server.user_dict = {}
         self.server.isAuth = False
 
+        # Warn if running unauthenticated with wildcard CORS
+        if args.password == "" and self.server.cors_origin == "*":
+            print(
+                "WARNING: XML-RPC server is running without authentication and with CORS Allow-Origin: *.\n"
+                "         Mitigations: set a password (-P/--password) and/or restrict\n"
+                "         cors_origins in glances.conf [outputs] section."
+            )
+            logger.warning(
+                "XML-RPC server is running without authentication and with CORS Access-Control-Allow-Origin: *. "
+            )
+
         # Register functions
         self.server.register_introspection_functions()
         self.server.register_instance(GlancesInstance(config, args))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.