CVE-2026-46608: CWE-183: Permissive List of Allowed Inputs in nicolargo glances
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
AI Analysis
Technical Summary
CVE-2026-46608 describes a vulnerability in nicolargo Glances versions before 4.5.5 where the XML-RPC server's CORS origin allowlist feature is improperly implemented. Specifically, if the cors_origins list contains multiple entries, the server defaults to Access-Control-Allow-Origin: * instead of restricting access to the specified origins. This misconfiguration enables any web origin to perform CORS simple requests to the /RPC2 endpoint and access the full system monitoring dataset, bypassing intended origin restrictions. The vulnerability was introduced in version 4.5.3 as a mitigation for a previous CVE but was corrected in 4.5.5.
Potential Impact
An attacker hosting a malicious web page on any origin can issue CORS requests to the Glances XML-RPC server and read sensitive system monitoring data without user consent or knowledge. This results in a confidentiality breach of system monitoring information. There is no impact on integrity or availability. The vulnerability requires no privileges and only user interaction via visiting a malicious web page.
Mitigation Recommendations
This vulnerability is fixed in Glances version 4.5.5. Operators should upgrade to version 4.5.5 or later to resolve the issue. Until then, operators should avoid configuring cors_origins with multiple entries to prevent fallback to the wildcard origin. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the fix is included in version 4.5.5. No other mitigations or vendor advisories are provided.
CVE-2026-46608: CWE-183: Permissive List of Allowed Inputs in nicolargo glances
Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE-2026-33533. However, the implementation silently falls back to Access-Control-Allow-Origin: * whenever cors_origins contains more than one entry. An operator who configures an explicit two-entry allowlist (e.g. two internal dashboard origins) intending to restrict browser access instead receives the unrestricted wildcard. A malicious web page served from any origin can issue a CORS simple request to /RPC2 and read the full system monitoring dataset without the victim's knowledge. This vulnerability is fixed in 4.5.5.
CVSS v3.1
Score 7.4high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46608 describes a vulnerability in nicolargo Glances versions before 4.5.5 where the XML-RPC server's CORS origin allowlist feature is improperly implemented. Specifically, if the cors_origins list contains multiple entries, the server defaults to Access-Control-Allow-Origin: * instead of restricting access to the specified origins. This misconfiguration enables any web origin to perform CORS simple requests to the /RPC2 endpoint and access the full system monitoring dataset, bypassing intended origin restrictions. The vulnerability was introduced in version 4.5.3 as a mitigation for a previous CVE but was corrected in 4.5.5.
Potential Impact
An attacker hosting a malicious web page on any origin can issue CORS requests to the Glances XML-RPC server and read sensitive system monitoring data without user consent or knowledge. This results in a confidentiality breach of system monitoring information. There is no impact on integrity or availability. The vulnerability requires no privileges and only user interaction via visiting a malicious web page.
Mitigation Recommendations
This vulnerability is fixed in Glances version 4.5.5. Operators should upgrade to version 4.5.5 or later to resolve the issue. Until then, operators should avoid configuring cors_origins with multiple entries to prevent fallback to the wildcard origin. Patch status is not explicitly stated as 'official-fix' in the vendor advisory, but the fix is included in version 4.5.5. No other mitigations or vendor advisories are provided.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T19:34:14.011Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3d73fb4853345fc14dfa2a
Added to database: 06/25/2026, 18:31:23 UTC
Last enriched: 06/25/2026, 18:47:26 UTC
Last updated: 06/25/2026, 20:53:59 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.