CVE-2026-46611
published 2026-06-25CVE-2026-46611: Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does…
PriorityP428medium5.3CVSS 3.1
AVNACHPRNUIRSUCHINAN
EPSS
0.16%
5.2th percentile
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| glances_project | glances | >= 0 < 4.5.5 | 4.5.5 |
| nicolargo | glances | < 4.5.5 | 4.5.5 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N
ghsa5.9MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
glances: Glances: Information disclosure via DNS rebinding attack
vendor_redhat·2026-06-25·CVSS 5.3
CVE-2026-46611 [MEDIUM] CWE-346 glances: Glances: Information disclosure via DNS rebinding attack
glances: Glances: Information disclosure via DNS rebinding attack
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
A vulnerability in the Glances XML-RPC server fails to properly validate HTTP Host headers, enabling DNS rebinding attacks. If a user is tricked into visiting a malicious website, a remote attacker can exploit this flaw to exfiltrate sensitive system monitoring data.
Statement: This moderate DNS rebinding vulnerability in the Glances XM
GHSA
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
ghsa·2026-06-22·CVSS 5.9
CVE-2026-46611 [MEDIUM] CWE-346 Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
### Summary
The Glances XML-RPC server (`glances -s`, implemented in `glances/server.py`) does not validate the HTTP `Host` header, leaving it vulnerable to DNS rebinding attacks. CVE-2026-32632 (patched in 4.5.2) added `TrustedHostMiddleware` to the REST/WebUI server; the MCP server has had equivalent protection since 4.5.1. The XML-RPC server received neither fix and has no `allowed-hosts` configuration key. Combined with the unrestricted `Access-Control-Allow-Origin: *` header (see companion advisory for CVE-2026-33533 and its incomplete fix), an attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser.
---
### Details
**Affected component:** `glanc
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack [fedora-all]
bugzilla·2026-06-26·CVSS 5.3
CVE-2026-46611 [MEDIUM] CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack [fedora-all]
CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack [epel-all]
bugzilla·2026-06-26·CVSS 5.3
CVE-2026-46611 [MEDIUM] CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack [epel-all]
CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack
bugzilla·2026-06-25·CVSS 5.3
CVE-2026-46611 [MEDIUM] CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack
CVE-2026-46611 glances: Glances: Information disclosure via DNS rebinding attack
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
2026-06-25
Published