Description
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
Published: 2026-06-25
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Glances XML‑RPC server, before version 4.5.5, fails to validate the HTTP Host header, exposing the system monitoring dataset to an adversary. By exploiting DNS rebinding, an attacker can cause a victim’s browser to query the local XML‑RPC endpoint and exfiltrate all monitoring data. The weakness is a form of improper input validation (CWE‑346) and an access control problem (CWE‑350) that permits unauthorized information disclosure.

Affected Systems

The vulnerability affects the Glances monitoring tool developed by nicolargo, specifically all releases earlier than 4.5.5. Versions 4.5.4 and below run the XML‑RPC server without host header checks and are susceptible to the described attack.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, with no EPSS score available and the vulnerability not yet listed in CISA KEV. Based on the description, it is inferred that the attack vector requires a victim’s browser to interact with a malicious web page that performs DNS rebinding against the local XML‑RPC endpoint. Exploitation is therefore limited to environments where the endpoint is reachable from a browser and relies on user interaction; however, once triggered, the attacker can read the entire monitoring dataset.

Generated by OpenCVE AI on June 25, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Glances to version 4.5.5 or newer where host header validation is added.
  • If the XML‑RPC interface is not required for your deployment, disable or remove the XML‑RPC server component.
  • Restrict network access to the XML‑RPC endpoint by binding it to localhost or applying firewall rules to limit external connections.

Generated by OpenCVE AI on June 25, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w856-8p3r-p338 Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Nicolargo
Nicolargo glances
Vendors & Products Nicolargo
Nicolargo glances

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Description Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.5, the Glances XML-RPC server (glances -s, implemented in glances/server.py) does not validate the HTTP Host header, leaving it vulnerable to DNS rebinding attacks. An attacker can exploit DNS rebinding to exfiltrate the full system monitoring dataset from a victim's browser. This vulnerability is fixed in 4.5.5.
Title Glances: XML-RPC Server Missing Host Header Validation Enables DNS Rebinding Attack
Weaknesses CWE-346
CWE-350
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Nicolargo Glances
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:00:47.735Z

Reserved: 2026-05-15T19:34:14.011Z

Link: CVE-2026-46611

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:15:05Z

Weaknesses
  • CWE-346

    Origin Validation Error

  • CWE-350

    Reliance on Reverse DNS Resolution for a Security-Critical Action