CVE-2026-33533: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in nicolargo glances
Glances versions prior to 4. 5. 3 have a permissive cross-origin resource sharing (CORS) policy in their XML-RPC server, allowing any origin to access system monitoring data. The server responds with Access-Control-Allow-Origin: * and does not validate the Content-Type header, enabling attacker-controlled webpages to send simple POST requests with XML-RPC payloads. This results in exposure of detailed system information including hostname, OS version, IP addresses, hardware stats, and full process lists with potentially sensitive command line arguments. The vulnerability is patched in version 4. 5. 3.
AI Analysis
Technical Summary
The vulnerability in nicolargo Glances (CVE-2026-33533) involves a permissive CORS policy combined with insufficient Content-Type validation in the XML-RPC server component. When running versions before 4.5.3 with the server mode enabled, the application sets Access-Control-Allow-Origin: * on all HTTP responses. Because the XML-RPC handler accepts POST requests with Content-Type: text/plain without preflight checks, an attacker can craft a malicious webpage that sends a valid XML-RPC payload to the server. The server processes the request and returns comprehensive system monitoring data, which the attacker’s JavaScript can read due to the wildcard CORS header. This leads to unauthorized disclosure of sensitive system information. The issue is resolved by updating to Glances version 4.5.3.
Potential Impact
An attacker can remotely exfiltrate detailed system information including hostname, operating system version, IP addresses, CPU, memory, disk, and network statistics, as well as the full process list with command line arguments. This data may contain sensitive tokens, passwords, or internal paths, leading to significant information disclosure. The vulnerability does not require authentication and can be exploited via a malicious webpage without user privileges on the target system.
Mitigation Recommendations
This vulnerability is fixed in Glances version 4.5.3. Users should upgrade to version 4.5.3 or later to remediate the issue. No additional mitigations are required once the update is applied.
CVE-2026-33533: CWE-942: Permissive Cross-domain Policy with Untrusted Domains in nicolargo glances
Description
Glances versions prior to 4. 5. 3 have a permissive cross-origin resource sharing (CORS) policy in their XML-RPC server, allowing any origin to access system monitoring data. The server responds with Access-Control-Allow-Origin: * and does not validate the Content-Type header, enabling attacker-controlled webpages to send simple POST requests with XML-RPC payloads. This results in exposure of detailed system information including hostname, OS version, IP addresses, hardware stats, and full process lists with potentially sensitive command line arguments. The vulnerability is patched in version 4. 5. 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nicolargo Glances (CVE-2026-33533) involves a permissive CORS policy combined with insufficient Content-Type validation in the XML-RPC server component. When running versions before 4.5.3 with the server mode enabled, the application sets Access-Control-Allow-Origin: * on all HTTP responses. Because the XML-RPC handler accepts POST requests with Content-Type: text/plain without preflight checks, an attacker can craft a malicious webpage that sends a valid XML-RPC payload to the server. The server processes the request and returns comprehensive system monitoring data, which the attacker’s JavaScript can read due to the wildcard CORS header. This leads to unauthorized disclosure of sensitive system information. The issue is resolved by updating to Glances version 4.5.3.
Potential Impact
An attacker can remotely exfiltrate detailed system information including hostname, operating system version, IP addresses, CPU, memory, disk, and network statistics, as well as the full process list with command line arguments. This data may contain sensitive tokens, passwords, or internal paths, leading to significant information disclosure. The vulnerability does not require authentication and can be exploited via a malicious webpage without user privileges on the target system.
Mitigation Recommendations
This vulnerability is fixed in Glances version 4.5.3. Users should upgrade to version 4.5.3 or later to remediate the issue. No additional mitigations are required once the update is applied.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T18:05:11.831Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69ce866ce6bfc5ba1de33603
Added to database: 4/2/2026, 3:08:28 PM
Last enriched: 4/9/2026, 10:54:30 PM
Last updated: 5/20/2026, 9:42:04 PM
Views: 70
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.