CVE-2026-32610
Published: 18 March 2026
Summary
CVE-2026-32610 is a high-severity Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942) vulnerability in Nicolargo Glances. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces and documents secure configuration settings for web servers like Glances REST API to prevent misconfigured CORS policies allowing credentialed cross-origin requests.
Requires identification, reporting, and timely correction of flaws such as this CORS misconfiguration via upgrade to Glances version 4.5.2 or later.
Monitors and controls communications at external interfaces to the Glances web server, blocking unauthorized cross-origin API requests exploiting reflected Origin headers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CORS misconfiguration in Glances REST API web server enables cross-origin credentialed access from attacker-controlled site (after user interaction), directly facilitating exploitation of the network-accessible monitoring application (T1190) to steal local system/configuration data (T1005).
NVD Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware`…
more
reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Deeper analysisAI
CVE-2026-32610 is a CORS misconfiguration vulnerability (CWE-942) in Glances, an open-source cross-platform system monitoring tool. In versions prior to 4.5.2, the Glances REST API web server uses Starlette's CORSMiddleware with a default configuration of `allow_origins=["*"]` combined with `allow_credentials=True`. This causes the middleware to reflect the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of the literal `*` wildcard, violating CORS security expectations. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and was published on 2026-03-18.
Attackers can exploit this vulnerability without privileges by tricking users into visiting a malicious website while they have an active browser session with a Glances instance. The malicious site can then issue credentialed cross-origin API requests to the Glances server, as the reflected `Access-Control-Allow-Origin` permits it. Successful exploitation enables cross-site theft of sensitive data, including system monitoring information, configuration secrets, and command-line arguments passed to Glances.
Glances version 4.5.2 addresses the issue by correcting the CORS configuration. Security advisories recommend immediate upgrades to this version or later. Details are available in the GitHub security advisory (GHSA-9jfm-9rc6-2hfq), release notes for v4.5.2, and the fixing commit (4465169b71d93991f1e49740fe02428291099832).
Details
- CWE(s)