CVE-2026-32632
published 2026-03-18CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version…
PriorityP433medium5.9CVSS 3.1
AVNACHPRNUIRSUCHILAN
EPSS
0.16%
5.6th percentile
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | glances | < glances 4.5.2+dfsg-1 (forky) | glances 4.5.2+dfsg-1 (forky) |
| glances_project | glances | >= 0 < 4.5.2+dfsg-1 | 4.5.2+dfsg-1 |
| glances_project | glances | >= 0 < 4.5.5 | 4.5.5 |
| glances_project | glances | >= 0 < 4.5.2 | 4.5.2 |
| nicolargo | glances | < 4.5.2 | 4.5.2 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
ghsa5.9MEDIUM
osv5.9MEDIUM
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
ghsa·2026-06-22·CVSS 5.9
CVE-2026-46611 [MEDIUM] CWE-346 Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
### Summary
The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP server has had equivalent protection since 4.5.1. The XML-RPC server received neither fix and has no `allowed-hosts` configuration key. Combined with the unrestricted `Access-Control-Allow-Origin: *` header (see companion advisory for CVE-2026-33533 and its incomplete fix), an attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser.
---
### Details
**Affected component:** `glanc
OSV
CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool
osv·2026-03-18·CVSS 5.9
CVE-2026-32632 [MEDIUM] CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding cau
OSV
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
osv·2026-03-16
CVE-2026-32632 [MEDIUM] Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
## Summary
Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist.
As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.
This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebindi
GHSA
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
ghsa·2026-03-16
CVE-2026-32632 [MEDIUM] CWE-346 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
## Summary
Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist.
As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.
This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebindi
Debian
CVE-2026-32632: glances - Glances is an open-source system cross-platform monitoring tool. Glances recentl...
vendor_debian·2026·CVSS 5.9
CVE-2026-32632 [MEDIUM] CVE-2026-32632: glances - Glances is an open-source system cross-platform monitoring tool. Glances recentl...
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding cau
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-32632 glances: REST/WebUI lacks host validation and remains exposed to DNS rebinding [epel-all]
bugzilla·2026-03-18·CVSS 5.9
CVE-2026-32632 [MEDIUM] CVE-2026-32632 glances: REST/WebUI lacks host validation and remains exposed to DNS rebinding [epel-all]
CVE-2026-32632 glances: REST/WebUI lacks host validation and remains exposed to DNS rebinding [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Bugzilla
CVE-2026-32632 glances: REST/WebUI lacks host validation and remains exposed to DNS rebinding [fedora-all]
bugzilla·2026-03-18·CVSS 5.9
CVE-2026-32632 [MEDIUM] CVE-2026-32632 glances: REST/WebUI lacks host validation and remains exposed to DNS rebinding [fedora-all]
CVE-2026-32632 glances: REST/WebUI lacks host validation and remains exposed to DNS rebinding [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.
Wiz
CVE-2026-32632 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32632 [MEDIUM] CVE-2026-32632 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32632 :
Python vulnerability analysis and mitigation
Host
TrustedHostMiddleware
Source : NVD
## 5.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
Python
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
glances
Sources
NVD
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 19, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 19, 2026
Echo Severity MEDIUM No Fix Added at: Mar 19, 2026
pip Severity MEDIUM Has Fix Added at: Mar 17, 2026
Homebrew Severity MEDIUM Has Fix Added at: Mar 20, 2026
Nix Severity MEDIUM Has Fix Added at: Mar 20, 2026
## G
2026-03-18
Published