# CVE-2026-34839

> Vulnerability · severity: **MEDIUM** (CVSS 6.5).

## Description

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy (`Access-Control-Allow-Origin: *`). This allows a malicious website to read sensitive system information from a running Glances instance in the victim’s browser, leading to cross-origin data exfiltration. While a previous advisory exists for XML-RPC CORS issues, this report demonstrates that the REST API (`/api/4/*`) is also affected and exposes significantly more sensitive data. Version 4.5.4 patches the issue.

## Key facts

- **CVE ID:** CVE-2026-34839
- **Published:** 2026-04-21
- **CVSS severity:** MEDIUM
- **CVSS base score:** 6.5
- **CWE codes:** CWE-200, CWE-306, CWE-942, CWE-306

## Affected products

- `nicolargo:glances`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34839

## Citation

> AI Analytics. CVE-2026-34839. Retrieved 2026-07-04 from https://api.ai-analytics.org/cve/CVE-2026-34839. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*