Description
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
Published: 2026-03-18
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Same-origin policy bypass allowing unauthorized REST/WebUI access via DNS rebinding
Action: Patch Immediately
AI Analysis

Impact

Glances’ REST/WGiven WebUI does not validate the Host header, which enables DNS rebinding attacks. An attacker can point a domain they control to the Glances service, causing victims’ browsers to treat that domain as same‑origin. Because the API, WebUI, and token endpoint are reachable in this manner, an attacker can send arbitrary requests to the Glances API from a victim’s browser, potentially exposing sensitive system information or triggering unintended actions. This flaw is classified as CWE‑346, an information exposure due to insecure host validation.

Affected Systems

The issue impacts nicolargo:glances releases prior to version 4.5.2. Any deployment of Glances 4.5.1 or earlier that exposes the REST/WebUI on a network reachable by users is vulnerable.

Risk and Exploitability

The CVSS score of 5.9 reflects a moderate vulnerability. An EPSS score of less than 1% indicates that, as of now, the likelihood of active exploitation is low, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack vector is client‑side (browser‑based) and requires the attacker to control a DNS name that can be rebound to the target. An attacker who can successfully bind a malicious domain to the Glances service can bypass same‑origin policy and gain unauthorized API access, potentially compromising confidentiality and integrity of monitored data.

Generated by OpenCVE AI on March 19, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.2 or later, which includes DNS rebinding protection for the REST/WebUI.
  • If an upgrade is not immediately possible, restrict external access to the Glances REST/WebUI endpoints or place the service behind a reverse proxy that enforces host validation.
  • As a temporary measure, disable the REST/WebUI interface if it is not needed for operational purposes.

Generated by OpenCVE AI on March 19, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hhcg-r27j-fhv9 Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
History

Thu, 19 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Wed, 18 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
Title Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T18:15:59.648Z

Reserved: 2026-03-12T15:29:36.559Z

Link: CVE-2026-32632

cve-icon Vulnrichment

Updated: 2026-03-18T18:15:40.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T18:16:28.760

Modified: 2026-03-19T19:06:36.183

Link: CVE-2026-32632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:10Z

Weaknesses