{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32632", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-12T15:29:36.559Z", "datePublished": "2026-03-18T17:47:25.929Z", "dateUpdated": "2026-03-18T18:15:59.648Z"}, "containers": {"cna": {"title": "Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding", "problemTypes": [{"descriptions": [{"cweId": "CWE-346", "lang": "en", "description": "CWE-346: Origin Validation Error", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"}, {"name": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9", "tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"}, {"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"}], "affected": [{"vendor": "nicolargo", "product": "glances", "versions": [{"version": "< 4.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T17:47:25.929Z"}, "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."}], "source": {"advisory": "GHSA-hhcg-r27j-fhv9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T18:15:48.491743Z", "id": "CVE-2026-32632", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:15:59.648Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32632", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T18:15:48.491743Z"}}}], "references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T18:15:40.423Z"}}], "cna": {"title": "Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding", "source": {"advisory": "GHSA-hhcg-r27j-fhv9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "nicolargo", "product": "glances", "versions": [{"status": "affected", "version": "< 4.5.2"}]}], "references": [{"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9", "name": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-346", "description": "CWE-346: Origin Validation Error"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T17:47:25.929Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32632", "state": "PUBLISHED", "dateUpdated": "2026-03-18T18:15:59.648Z", "dateReserved": "2026-03-12T15:29:36.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T17:47:25.929Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59", "versionEndExcluding": "4.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."}], "id": "CVE-2026-32632", "lastModified": "2026-03-19T19:06:36.183", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T18:16:28.760", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-346"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "glances", "source": "cna", "vendor": "nicolargo"}, "product": "glances", "vendor": "nicolargo"}], "analysis": {"en": {"generated_at": "2026-03-19T20:24:59.470550+00:00", "value": {"mitigation_remediation": ["Upgrade Glances to version 4.5.2 or later, which includes DNS rebinding protection for the REST/WebUI.", "If an upgrade is not immediately possible, restrict external access to the Glances REST/WebUI endpoints or place the service behind a reverse proxy that enforces host validation.", "As a temporary measure, disable the REST/WebUI interface if it is not needed for operational purposes."], "summary": {"action": "Patch Immediately", "impact": "Same-origin policy bypass allowing unauthorized REST/WebUI access via DNS rebinding"}, "threat_synthesis": {"affected_systems": "The issue impacts nicolargo:glances releases prior to version 4.5.2. Any deployment of Glances 4.5.1 or earlier that exposes the REST/WebUI on a network reachable by users is vulnerable.", "description_and_impact": "Glances\u2019 REST/WGiven WebUI does not validate the Host header, which enables DNS rebinding attacks. An attacker can point a domain they control to the Glances service, causing victims\u2019 browsers to treat that domain as same\u2011origin. Because the API, WebUI, and token endpoint are reachable in this manner, an attacker can send arbitrary requests to the Glances API from a victim\u2019s browser, potentially exposing sensitive system information or triggering unintended actions. This flaw is classified as CWE\u2011346, an information exposure due to insecure host validation.", "risk_and_exploitability": "The CVSS score of 5.9 reflects a moderate vulnerability. An EPSS score of less than 1% indicates that, as of now, the likelihood of active exploitation is low, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nonetheless, the attack vector is client\u2011side (browser\u2011based) and requires the attacker to control a DNS name that can be rebound to the target. An attacker who can successfully bind a malicious domain to the Glances service can bypass same\u2011origin policy and gain unauthorized API access, potentially compromising confidentiality and integrity of monitored data."}}}}, "created": "2026-03-19T08:55:52.194934+00:00", "updated": "2026-03-24T10:58:10.216720+00:00", "vendors": ["nicolargo", "nicolargo$PRODUCT$glances"]}