CVE-2026-32632
Received Received - Intake
DNS Rebinding Vulnerability in Glances REST API Enables Unauthorized Access

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32632
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nicolargo glances to 4.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32632 is a moderate severity vulnerability in the Glances monitoring tool affecting versions up to 4.5.2-dev01. The issue arises because the main REST/WebUI FastAPI application does not validate HTTP Host headers, lacking middleware like TrustedHostMiddleware or an equivalent host allowlist.'}, {'type': 'paragraph', 'content': "This allows DNS rebinding attacks, where an attacker controls a domain and uses DNS to rebind that domain to the victim's Glances service IP. The victim's browser then treats requests to the attacker-controlled domain as same-origin with the Glances service, bypassing same-origin policy protections."}, {'type': 'paragraph', 'content': 'Because Glances accepts arbitrary Host headers, the REST API, WebUI, and token endpoints respond to these requests, allowing attacker-controlled JavaScript to access sensitive API data that should only be accessible locally or internally.'}, {'type': 'paragraph', 'content': 'This vulnerability is distinct from CORS weaknesses because DNS rebinding causes the browser to treat the malicious domain as same-origin, eliminating the need for CORS exploitation.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched in version 4.5.2 by adding host allowlist enforcement and DNS rebinding protection for the REST API and WebUI.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can allow remote attackers to read sensitive local or internal REST API data that should only be accessible within a local network.'}, {'type': 'paragraph', 'content': "Attackers can bypass browser origin-based isolation via DNS rebinding, enabling malicious JavaScript running in the victim's browser to access sensitive API responses."}, {'type': 'paragraph', 'content': 'Even if password protection is enabled, the lack of host validation increases the risk of chained attacks involving authenticated browser sessions.'}, {'type': 'paragraph', 'content': 'The JWT token endpoint is also exposed to rebinding attacks, potentially compromising authentication tokens.'}, {'type': 'paragraph', 'content': 'Overall, this increases the attack surface and risk of data exposure or unauthorized access to the Glances monitoring tool.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the Glances REST/WebUI FastAPI application accepting arbitrary Host headers without validation, exposing it to DNS rebinding attacks.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, you can check the version of Glances installed and whether it is patched to version 4.5.2 or later.'}, {'type': 'paragraph', 'content': 'Additionally, you can test if the REST API or WebUI endpoints accept arbitrary Host headers by sending HTTP requests with manipulated Host headers and observing the responses.'}, {'type': 'list_item', 'content': 'Use curl to send a request with a custom Host header to the Glances REST API endpoint, for example: curl -H "Host: attacker.example" http://<glances-ip>:<port>/api/4/status'}, {'type': 'list_item', 'content': 'Check the Glances version installed: glances --version or check the package version via your package manager.'}, {'type': 'list_item', 'content': 'Monitor network traffic for unusual DNS rebinding patterns or unexpected Host headers targeting the Glances service.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Glances to version 4.5.2 or later, which includes a patch adding host allowlist enforcement via TrustedHostMiddleware.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, you should implement host validation by adding TrustedHostMiddleware to the FastAPI application, restricting allowed Host headers to trusted hosts such as 'localhost' and '127.0.0.1'."}, {'type': 'list_item', 'content': 'Add TrustedHostMiddleware with an explicit allowed hosts list in the FastAPI app configuration.'}, {'type': 'list_item', 'content': "Configure the new 'webui_allowed_hosts' option in the Glances configuration file (conf/glances.conf) to restrict accepted Host headers."}, {'type': 'list_item', 'content': 'Avoid binding the Glances service to 0.0.0.0 if not necessary, to limit exposure.'}, {'type': 'list_item', 'content': 'If using a reverse proxy, enforce strict host allowlists at the proxy level.'}, {'type': 'paragraph', 'content': 'Reject requests with Host headers not matching the allowlist to prevent exploitation via DNS rebinding.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32632. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart