NIXPKGS-2026-1222

GitHub issue published on

Permalink CVE-2026-34839

updated 4 hours ago by @LeSuisse Activity log

Created automatic suggestion 1 day, 16 hours ago
@LeSuisse ignored
5 packages
- python312Packages.glances-api
- python313Packages.glances-api
- python314Packages.glances-api
- home-assistant-component-tests.glances
- tests.home-assistant-components.glances
1 day, 6 hours ago
@LeSuisse accepted 1 day, 6 hours ago
@LeSuisse published on GitHub 4 hours ago

Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/api/4) due to Permissive CORS

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.

References

https://github.com/nicolargo/glances/security/advisories/GHSA-gfc2-9qmw-w7vh x_refsource_CONFIRM
https://github.com/nicolargo/glances/commit/fdfb977b1d91b5e410bc06c4e19f8bedb0005ce9 x_refsource_MISC

Affected products

glances

==< 4.5.4

Matching in nixpkgs

pkgs.glances

Cross-platform curses-based monitoring tool

nixos-unstable 4.5.3.2
- nixpkgs-unstable 4.5.3.2
- nixos-unstable-small 4.5.3.2
nixos-25.11 4.3.3
- nixos-25.11-small 4.3.3
- nixpkgs-25.11-darwin 4.3.3