Loading
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=["*"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette's `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.
Cite this page
CVE-2026-32610. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-32610
Use CWE-942, Nicolargo vendor hub and Glances product page to widen CVE-2026-32610 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-32633, CVE-2026-32634 and CVE-2026-33641 for nearby disclosures in the same product family.