CVE-2026-34839— Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-34839
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS
Source: NVD (National Vulnerability Database)
Vulnerability Description
Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
glances 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
glances是Nicolas Hennion个人开发者的一款系统监测工具。 glances 4.5.4之前版本存在安全漏洞,该漏洞源于REST API未经验证且允许跨域请求,可能导致恶意网站读取敏感系统信息,造成跨域数据渗漏。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-34839
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-34839
请登录查看更多情报信息。
Same Patch Batch · nicolargo · 2026-04-20 · 3 CVEs total
| CVE-2026-35588 | 6.3 MEDIUM | Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values |
| CVE-2026-35587 | Glances IP Plugin has SSRF via public_api that leads to credential leakage |
IV. Related Vulnerabilities
Same product: glances
- CVE-2026-35588
Glances has CQL Injection in its Cassandra Export Module via - CVE-2026-35587
Glances IP Plugin has SSRF via public_api that leads to cred - CVE-2026-33641
Glances Vulnerable to Command Injection via Dynamic Configur - CVE-2026-33533
Glances Vulnerable to Cross-Origin System Information Disclo - CVE-2026-32634
Glances Central Browser Autodiscovery Leaks Reusable Credent
Same vendor: nicolargo
- CVE-2026-35588
Glances has CQL Injection in its Cassandra Export Module via - CVE-2026-35587
Glances IP Plugin has SSRF via public_api that leads to cred - CVE-2026-33641
Glances Vulnerable to Command Injection via Dynamic Configur - CVE-2026-33533
Glances Vulnerable to Cross-Origin System Information Disclo - CVE-2026-32634
Glances Central Browser Autodiscovery Leaks Reusable Credent
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2026-34839
No comments yet