FKIE_CVE-2026-32632

Vulnerability from fkie_nvd - Published: 2026-03-18 18:16 - Updated: 2026-03-19 19:06
Severity ?
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Summary
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
References
security-advisories@github.comhttps://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9Patch
security-advisories@github.comhttps://github.com/nicolargo/glances/releases/tag/v4.5.2Release Notes
security-advisories@github.comhttps://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9Exploit, Vendor Advisory
Impacted products
Vendor Product Version
nicolargo glances *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59",
              "versionEndExcluding": "4.5.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."
    },
    {
      "lang": "es",
      "value": "Glances es una herramienta de monitoreo de sistema de c\u00f3digo abierto multiplataforma. Glances a\u00f1adi\u00f3 recientemente protecci\u00f3n contra DNS rebinding para el endpoint MCP, pero antes de la versi\u00f3n 4.5.2, la aplicaci\u00f3n principal FastAPI REST/WebUI todav\u00eda acepta encabezados \u0027Host\u0027 arbitrarios y no aplica \u0027TrustedHostMiddleware\u0027 o una lista de permitidos de host equivalente. Como resultado, la API REST, la WebUI y el endpoint de token permanecen accesibles a trav\u00e9s de dominios controlados por el atacante en escenarios cl\u00e1sicos de DNS rebinding. Una vez que el navegador v\u00edctima ha reasociado el dominio del atacante al servicio Glances, la pol\u00edtica de mismo origen ya no protege la API porque el navegador considera que el dominio de reasociaci\u00f3n es el origen. Este es un problema distinto de la debilidad CORS predeterminada reportada anteriormente. CORS no es necesario para la explotaci\u00f3n aqu\u00ed porque el DNS rebinding hace que el navegador v\u00edctima trate el dominio malicioso como de mismo origen con el objetivo de rebinding. La versi\u00f3n 4.5.2 contiene un parche para el problema."
    }
  ],
  "id": "CVE-2026-32632",
  "lastModified": "2026-03-19T19:06:36.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T18:16:28.760",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.