Platform
python
Component
glances
Fixed in
4.5.4
4.5.2
4.5.3
CVE-2026-33533 describes an Information Disclosure vulnerability in Glances, a cross-platform system monitoring and performance toolkit. This flaw allows attackers to retrieve sensitive system monitoring data through a malicious CORS request. The vulnerability affects versions of Glances up to 4.5.1, and a fix is available in version 4.5.3.
The vulnerability stems from Glances' XML-RPC server's mishandling of CORS headers and Content-Type validation. An attacker can leverage this to craft a simple POST request from a webpage, bypassing preflight checks. The server processes the XML-RPC payload and returns the complete system monitoring dataset, which can include CPU usage, memory utilization, disk I/O, network statistics, and other critical system information. This data can be used for reconnaissance, identifying potential attack vectors, or even for exfiltrating sensitive information if it contains credentials or other confidential data. The wildcard Access-Control-Allow-Origin header allows any website to access this data, significantly expanding the potential attack surface.
This vulnerability was publicly disclosed on 2026-03-30. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and ease of exploitation suggest a potential for rapid PoC development. It is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation is to upgrade Glances to version 4.5.3 or later, which addresses the Content-Type validation issue. If upgrading is not immediately feasible, consider disabling the XML-RPC server by avoiding the use of glances -s or glances --server. As a temporary workaround, configure a Web Application Firewall (WAF) or reverse proxy to filter out POST requests with Content-Type: text/plain to the Glances XML-RPC endpoint. Carefully review and restrict access to the Glances server to only trusted networks and users.
Update Glances to version 4.5.3 or higher. This version fixes the Cross-Origin System Information Disclosure vulnerability by correctly validating the Content-Type header and preventing sensitive system information disclosure.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33533 is a HIGH severity vulnerability in Glances versions up to 4.5.1 that allows attackers to retrieve system monitoring data via a crafted CORS request.
You are affected if you are running Glances version 4.5.1 or earlier. Upgrade to version 4.5.3 to mitigate the risk.
Upgrade Glances to version 4.5.3 or later. Alternatively, disable the XML-RPC server or implement WAF rules to block malicious requests.
There are currently no reports of active exploitation, but the vulnerability's ease of exploitation suggests a potential for future attacks.
Refer to the Glances project's official website and GitHub repository for updates and advisories related to CVE-2026-33533.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.