cbcvebase.
CVE-2026-32632
published 2026-03-18

CVE-2026-32632: Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version…

PriorityP433medium5.9CVSS 3.1
AVNACHPRNUIRSUCHILAN
EPSS
0.16%
5.6th percentile
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianglances< glances 4.5.2+dfsg-1 (forky)glances 4.5.2+dfsg-1 (forky)
glances_projectglances>= 0 < 4.5.2+dfsg-14.5.2+dfsg-1
glances_projectglances>= 0 < 4.5.54.5.5
glances_projectglances>= 0 < 4.5.24.5.2
nicolargoglances< 4.5.24.5.2

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
ghsa5.9MEDIUM
osv5.9MEDIUM
vendor_debian5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.