CVE-2026-32632 in glances
Summary
by MITRE • 03/18/2026
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability described in CVE-2026-32632 represents a critical security flaw in the Glances monitoring tool that exposes users to cross-origin request forgery and data exfiltration risks through DNS rebinding attacks. This issue specifically affects versions prior to 4.5.2 where the main REST/WebUI FastAPI application fails to properly validate incoming Host headers, creating a pathway for attackers to bypass intended security boundaries. The problem stems from the absence of TrustedHostMiddleware or equivalent host allowlist functionality within the application's middleware stack, allowing arbitrary host values to be processed without validation. This weakness is particularly dangerous because it operates at the network layer where the application's security model can be subverted through DNS manipulation techniques that redirect legitimate service endpoints to attacker-controlled domains.
The technical exploitation of this vulnerability occurs through classic DNS rebinding scenarios where an attacker controls a domain that initially resolves to an external IP address but later resolves to the internal Glances service. When a victim browser makes a request to the attacker-controlled domain, the DNS resolution changes during the request process, causing the browser to treat the malicious domain as the same origin as the legitimate Glances service. This bypasses the same-origin policy protections that normally prevent cross-origin requests from accessing sensitive resources. The vulnerability affects all exposed endpoints including the REST API, WebUI, and token endpoint, making it particularly dangerous as it provides complete access to the monitoring tool's functionality. This issue is categorized under CWE-284: Improper Access Control and aligns with ATT&CK technique T1071.004: Application Layer Protocol: DNS, demonstrating how DNS manipulation can be leveraged for privilege escalation and data access.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass full system compromise potential. An attacker who successfully executes a DNS rebinding attack can access sensitive monitoring data, manipulate system configurations, and potentially escalate privileges through the exposed API endpoints. The vulnerability affects both the REST API and WebUI components, meaning that an attacker could potentially gain access to system metrics, process information, and other sensitive monitoring data that would normally be restricted to authorized users. The fact that this issue affects the token endpoint is particularly concerning as it could allow attackers to obtain authentication tokens and maintain persistent access to the monitoring system. Organizations using Glances versions prior to 4.5.2 face significant risk, as the vulnerability can be exploited through standard web-based attack vectors without requiring physical access or complex attack chains. The patch implemented in version 4.5.2 addresses this by introducing proper host validation through TrustedHostMiddleware, ensuring that only explicitly trusted hosts can access the application's endpoints and preventing the DNS rebinding attack vectors that previously enabled unauthorized access.
This vulnerability highlights the importance of proper host validation in web applications and demonstrates how seemingly minor configuration issues can lead to severe security implications. The flaw exists at the application framework level within FastAPI's middleware architecture, where the default security assumptions about host header validation were not properly enforced. The distinction from previous CORS weaknesses is crucial as this vulnerability operates at a different layer of the security model, where DNS manipulation directly affects browser security policies rather than relying on CORS headers. Organizations should prioritize updating to Glances 4.5.2 or later versions to mitigate this risk, while also implementing additional network-level protections such as DNS filtering and monitoring for suspicious DNS resolution patterns that could indicate DNS rebinding attempts. Security teams should also consider implementing network segmentation and access controls to limit exposure of monitoring tools to untrusted networks, as the vulnerability's exploitation requires only web browser-based access from the victim's perspective.