CVE-2026-46611
Deferred Deferred - Pending Action
Glances XML-RPC Server DNS Rebinding Vulnerability

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-26
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-46611
EUVD
EUVD-2026-39514
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
glances glances to 4.5.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-350 The product performs reverse DNS resolution on an IP address to obtain the hostname and make a security decision, but it does not properly ensure that the IP address is truly associated with the hostname.
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Glances system monitoring tool versions prior to 4.5.5. Specifically, the XML-RPC server component does not validate the HTTP Host header, which makes it susceptible to DNS rebinding attacks.

DNS rebinding allows an attacker to manipulate the victim's browser to bypass same-origin policies and access internal services. In this case, an attacker can exploit this flaw to exfiltrate the full system monitoring dataset from the victim's browser.

The issue is fixed in version 4.5.5 of Glances.

Compliance Impact

The vulnerability allows an attacker to exfiltrate sensitive system monitoring data, including hostnames, OS details, process lists with potential credentials, and other system metrics, by exploiting DNS rebinding attacks on the Glances XML-RPC server.

Such unauthorized access and potential data leakage could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over the confidentiality and security of sensitive information.

Because the vulnerability results in a high confidentiality impact, organizations using affected versions of Glances may face compliance risks if sensitive or personal data is exposed through this flaw.

Detection Guidance

This vulnerability involves the Glances XML-RPC server not validating the HTTP Host header, which can be detected by checking if the Glances XML-RPC server is running and accessible on your system or network.

To detect the presence of the vulnerable Glances XML-RPC server, you can scan for open ports commonly used by Glances (default is 61209) and attempt to send HTTP requests with arbitrary Host headers to see if the server accepts them without validation.

Example commands to detect the vulnerable service include:

  • Use netstat or ss to check if Glances server is listening on the default port (61209): - netstat -tuln | grep 61209 - ss -tuln | grep 61209
  • Use curl to send a request with a custom Host header to the Glances XML-RPC server: - curl -v -H "Host: malicious.example.com" http://localhost:61209
  • If the server responds without rejecting the Host header, it indicates the vulnerability is present.

Additionally, review your Glances version; versions prior to 4.5.5 are vulnerable.

Impact Analysis

An attacker exploiting this vulnerability can extract sensitive system monitoring data from your device by tricking your browser through DNS rebinding.

This could lead to unauthorized disclosure of system information, which might be used for further attacks or to gain insights into your system's status and configuration.

However, the attack requires user interaction (UI:R) and has a high attack complexity (AC:H), meaning it is not trivial to exploit.

Mitigation Strategies

To mitigate this vulnerability, upgrade Glances to version 4.5.5 or later, where the issue with HTTP Host header validation has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46611. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart