CVE-2026-34839: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in nicolargo glances
Glances versions prior to 4. 5. 4 have a vulnerability where the web server's REST API (/api/4/*) is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy. This enables malicious websites to read sensitive system information from a running Glances instance in the victim's browser, resulting in cross-origin data exfiltration. The issue was patched in version 4. 5. 4.
AI Analysis
Technical Summary
Glances, an open-source cross-platform system monitoring tool, exposes a REST API endpoint (/api/4/*) without authentication and with a permissive CORS policy (Access-Control-Allow-Origin: *), allowing any website to perform cross-origin requests and read sensitive system data from the Glances instance running in a user's browser. This vulnerability, identified as CVE-2026-34839 and classified under CWE-200 (Exposure of Sensitive Information), CWE-942 (Permissive Cross-domain Policy), and CWE-306 (Missing Authentication for Critical Function), affects all versions prior to 4.5.4. The vulnerability enables unauthorized actors to exfiltrate sensitive system information via cross-origin requests. Version 4.5.4 includes a patch that restricts access and mitigates this exposure.
Potential Impact
An attacker can exploit this vulnerability by hosting a malicious website that, when visited by a user running a vulnerable Glances instance, can read sensitive system information exposed by the REST API. This leads to unauthorized disclosure of system data without requiring user interaction or authentication. The CVSS 4.0 score of 7.7 (high severity) reflects the network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality.
Mitigation Recommendations
Upgrade Glances to version 4.5.4 or later, where this vulnerability has been patched. The vendor advisory confirms that version 4.5.4 addresses the issue by restricting access to the REST API and correcting the CORS policy. No additional mitigation steps are required if the software is updated.
CVE-2026-34839: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in nicolargo glances
Description
Glances versions prior to 4. 5. 4 have a vulnerability where the web server's REST API (/api/4/*) is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy. This enables malicious websites to read sensitive system information from a running Glances instance in the victim's browser, resulting in cross-origin data exfiltration. The issue was patched in version 4. 5. 4.
CVSS v4.0
Score 7.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Glances, an open-source cross-platform system monitoring tool, exposes a REST API endpoint (/api/4/*) without authentication and with a permissive CORS policy (Access-Control-Allow-Origin: *), allowing any website to perform cross-origin requests and read sensitive system data from the Glances instance running in a user's browser. This vulnerability, identified as CVE-2026-34839 and classified under CWE-200 (Exposure of Sensitive Information), CWE-942 (Permissive Cross-domain Policy), and CWE-306 (Missing Authentication for Critical Function), affects all versions prior to 4.5.4. The vulnerability enables unauthorized actors to exfiltrate sensitive system information via cross-origin requests. Version 4.5.4 includes a patch that restricts access and mitigates this exposure.
Potential Impact
An attacker can exploit this vulnerability by hosting a malicious website that, when visited by a user running a vulnerable Glances instance, can read sensitive system information exposed by the REST API. This leads to unauthorized disclosure of system data without requiring user interaction or authentication. The CVSS 4.0 score of 7.7 (high severity) reflects the network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality.
Mitigation Recommendations
Upgrade Glances to version 4.5.4 or later, where this vulnerability has been patched. The vendor advisory confirms that version 4.5.4 addresses the issue by restricting access to the REST API and correcting the CORS policy. No additional mitigation steps are required if the software is updated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T20:52:53.284Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e6b73b19fe3cd2cd3f2d13
Added to database: 4/20/2026, 11:31:07 PM
Last enriched: 4/28/2026, 6:02:47 AM
Last updated: 6/4/2026, 7:21:05 PM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.