CVE-2026-32632 - Vulnerability-Lookup

CVE-2026-32632 (GCVE-0-2026-32632)

Vulnerability from cvelistv5 – Published: 2026-03-18 17:47 – Updated: 2026-03-18 18:15

Title

Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Summary

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

CWE

CWE-346 - Origin Validation Error

Assigner

GitHub_M

References

URL

Tags

	https://github.com/nicolargo/glances/security/adv…	x_refsource_CONFIRM
	https://github.com/nicolargo/glances/commit/5850c…	x_refsource_MISC
	https://github.com/nicolargo/glances/releases/tag…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	nicolargo	glances	Affected: < 4.5.2

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32632",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-18T18:15:48.491743Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-18T18:15:59.648Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "glances",
          "vendor": "nicolargo",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-346",
              "description": "CWE-346: Origin Validation Error",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-18T17:47:25.929Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
        },
        {
          "name": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
        },
        {
          "name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
        }
      ],
      "source": {
        "advisory": "GHSA-hhcg-r27j-fhv9",
        "discovery": "UNKNOWN"
      },
      "title": "Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-32632",
    "datePublished": "2026-03-18T17:47:25.929Z",
    "dateReserved": "2026-03-12T15:29:36.559Z",
    "dateUpdated": "2026-03-18T18:15:59.648Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32632\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-18T18:16:28.760\",\"lastModified\":\"2026-03-19T19:06:36.183\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.2\",\"matchCriteriaId\":\"3FC19E01-80F1-43BB-912C-39FE99143A59\"}]}]}],\"references\":[{\"url\":\"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nicolargo/glances/releases/tag/v4.5.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32632\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-18T18:15:48.491743Z\"}}}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-18T18:15:40.423Z\"}}], \"cna\": {\"title\": \"Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding\", \"source\": {\"advisory\": \"GHSA-hhcg-r27j-fhv9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nicolargo\", \"product\": \"glances\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.2\"}]}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\", \"name\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9\", \"name\": \"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.2\", \"name\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-18T17:47:25.929Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32632\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-18T18:15:59.648Z\", \"dateReserved\": \"2026-03-12T15:29:36.559Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-18T17:47:25.929Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

OPENSUSE-SU-2026:10415-1

Vulnerability from csaf_opensuse - Published: 2026-03-24 00:00 - Updated: 2026-03-24 00:00

Summary

glances-common-4.5.2-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: glances-common-4.5.2-1.1 on GA media

Description of the patch: These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10415

Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

CVE-2026-32596

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32608

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32609

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32610

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32611

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32632

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32633

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-32634

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-32596/	self
	https://www.suse.com/security/cve/CVE-2026-32608/	self
	https://www.suse.com/security/cve/CVE-2026-32609/	self
	https://www.suse.com/security/cve/CVE-2026-32610/	self
	https://www.suse.com/security/cve/CVE-2026-32611/	self
	https://www.suse.com/security/cve/CVE-2026-32632/	self
	https://www.suse.com/security/cve/CVE-2026-32633/	self
	https://www.suse.com/security/cve/CVE-2026-32634/	self
	https://www.suse.com/security/cve/CVE-2026-32596	external
	https://bugzilla.suse.com/1260321	external
	https://www.suse.com/security/cve/CVE-2026-32608	external
	https://bugzilla.suse.com/1260320	external
	https://www.suse.com/security/cve/CVE-2026-32609	external
	https://bugzilla.suse.com/1259832	external
	https://www.suse.com/security/cve/CVE-2026-32610	external
	https://bugzilla.suse.com/1259841	external
	https://www.suse.com/security/cve/CVE-2026-32611	external
	https://bugzilla.suse.com/1259840	external
	https://www.suse.com/security/cve/CVE-2026-32632	external
	https://bugzilla.suse.com/1259839	external
	https://www.suse.com/security/cve/CVE-2026-32633	external
	https://bugzilla.suse.com/1259838	external
	https://www.suse.com/security/cve/CVE-2026-32634	external
	https://bugzilla.suse.com/1259837	external

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "glances-common-4.5.2-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10415",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10415-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32596 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32596/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32608 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32608/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32609 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32609/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32610 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32610/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32611 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32611/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32632 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32632/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32633 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32633/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-32634 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-32634/"
      }
    ],
    "title": "glances-common-4.5.2-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-03-24T00:00:00Z",
      "generator": {
        "date": "2026-03-24T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10415-1",
      "initial_release_date": "2026-03-24T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-03-24T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.aarch64",
                "product": {
                  "name": "glances-common-4.5.2-1.1.aarch64",
                  "product_id": "glances-common-4.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.aarch64",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.aarch64",
                  "product_id": "python311-Glances-4.5.2-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.aarch64",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.aarch64",
                  "product_id": "python313-Glances-4.5.2-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.ppc64le",
                "product": {
                  "name": "glances-common-4.5.2-1.1.ppc64le",
                  "product_id": "glances-common-4.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.ppc64le",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.ppc64le",
                  "product_id": "python311-Glances-4.5.2-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.ppc64le",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.ppc64le",
                  "product_id": "python313-Glances-4.5.2-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.s390x",
                "product": {
                  "name": "glances-common-4.5.2-1.1.s390x",
                  "product_id": "glances-common-4.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.s390x",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.s390x",
                  "product_id": "python311-Glances-4.5.2-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.s390x",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.s390x",
                  "product_id": "python313-Glances-4.5.2-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "glances-common-4.5.2-1.1.x86_64",
                "product": {
                  "name": "glances-common-4.5.2-1.1.x86_64",
                  "product_id": "glances-common-4.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-Glances-4.5.2-1.1.x86_64",
                "product": {
                  "name": "python311-Glances-4.5.2-1.1.x86_64",
                  "product_id": "python311-Glances-4.5.2-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python313-Glances-4.5.2-1.1.x86_64",
                "product": {
                  "name": "python313-Glances-4.5.2-1.1.x86_64",
                  "product_id": "python313-Glances-4.5.2-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64"
        },
        "product_reference": "glances-common-4.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le"
        },
        "product_reference": "glances-common-4.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x"
        },
        "product_reference": "glances-common-4.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "glances-common-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64"
        },
        "product_reference": "glances-common-4.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64"
        },
        "product_reference": "python311-Glances-4.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python313-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        },
        "product_reference": "python313-Glances-4.5.2-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-32596",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32596"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32596",
          "url": "https://www.suse.com/security/cve/CVE-2026-32596"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260321 for CVE-2026-32596",
          "url": "https://bugzilla.suse.com/1260321"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32596"
    },
    {
      "cve": "CVE-2026-32608",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32608"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32608",
          "url": "https://www.suse.com/security/cve/CVE-2026-32608"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1260320 for CVE-2026-32608",
          "url": "https://bugzilla.suse.com/1260320"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32608"
    },
    {
      "cve": "CVE-2026-32609",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32609"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32609",
          "url": "https://www.suse.com/security/cve/CVE-2026-32609"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259832 for CVE-2026-32609",
          "url": "https://bugzilla.suse.com/1259832"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32609"
    },
    {
      "cve": "CVE-2026-32610",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32610"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32610",
          "url": "https://www.suse.com/security/cve/CVE-2026-32610"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259841 for CVE-2026-32610",
          "url": "https://bugzilla.suse.com/1259841"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32610"
    },
    {
      "cve": "CVE-2026-32611",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32611"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32611",
          "url": "https://www.suse.com/security/cve/CVE-2026-32611"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259840 for CVE-2026-32611",
          "url": "https://bugzilla.suse.com/1259840"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-32611"
    },
    {
      "cve": "CVE-2026-32632",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32632"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32632",
          "url": "https://www.suse.com/security/cve/CVE-2026-32632"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259839 for CVE-2026-32632",
          "url": "https://bugzilla.suse.com/1259839"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-32632"
    },
    {
      "cve": "CVE-2026-32633",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32633"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32633",
          "url": "https://www.suse.com/security/cve/CVE-2026-32633"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259838 for CVE-2026-32633",
          "url": "https://bugzilla.suse.com/1259838"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2026-32633"
    },
    {
      "cve": "CVE-2026-32634",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-32634"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
          "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-32634",
          "url": "https://www.suse.com/security/cve/CVE-2026-32634"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1259837 for CVE-2026-32634",
          "url": "https://bugzilla.suse.com/1259837"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
            "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-03-24T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-32634"
    }
  ]
}

FKIE_CVE-2026-32632

Vulnerability from fkie_nvd - Published: 2026-03-18 18:16 - Updated: 2026-03-19 19:06

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

Summary

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.

References

	URL	Tags
	security-advisories@github.com	https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9	Patch
	security-advisories@github.com	https://github.com/nicolargo/glances/releases/tag/v4.5.2	Release Notes
	security-advisories@github.com	https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9	Exploit, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	nicolargo	glances	*

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59",
              "versionEndExcluding": "4.5.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."
    }
  ],
  "id": "CVE-2026-32632",
  "lastModified": "2026-03-19T19:06:36.183",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-18T18:16:28.760",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-HHCG-R27J-FHV9

Vulnerability from github – Published: 2026-03-16 16:34 – Updated: 2026-03-18 21:48

Summary

Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Details

Summary

Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist.

As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.

This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.

Details

The MCP endpoint now has explicit host-based transport security:

# glances/outputs/glances_mcp.py
self.mcp_allowed_hosts = ["localhost", "127.0.0.1"]
...
return TransportSecuritySettings(
    allowed_hosts=allowed_hosts,
    allowed_origins=allowed_origins,
)

However, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:

# glances/outputs/glances_restful_api.py
self._app = FastAPI(default_response_class=GlancesJSONResponse)
...
self._app.add_middleware(
    CORSMiddleware,
    allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]),
    allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True),
    allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]),
    allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
...
if self.args.password and self._jwt_handler is not None:
    self._app.include_router(self._token_router())
self._app.include_router(self._router())

There is no TrustedHostMiddleware, no comparison against the configured bind host, and no allowlist enforcement for HTTP Host values on the REST/WebUI surface.

The default bind configuration also exposes the service on all interfaces:

# glances/main.py
parser.add_argument(
    '-B',
    '--bind',
    default='0.0.0.0',
    dest='bind_address',
    help='bind server to the given IPv4/IPv6 address or hostname',
)

This combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.

The token endpoint is also mounted on the same unprotected FastAPI app:

# glances/outputs/glances_restful_api.py
def _token_router(self) -> APIRouter:
    ...
    router.add_api_route(f'{base_path}/token', self._api_token, methods=['POST'], dependencies=[])

Why This Is Exploitable

In a DNS rebinding attack:

The attacker serves JavaScript from https://attacker.example.
The victim visits that page while a Glances instance is reachable on the victim network.
The attacker's DNS for attacker.example is rebound from the attacker's server to the Glances IP address.
The victim browser now sends same-origin requests to https://attacker.example, but those requests are delivered to Glances.
Because the Glances REST/WebUI app does not validate the Host header or enforce an allowed-host policy, it serves the response.
The attacker-controlled JavaScript can read the response as same-origin content.

The MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.

Proof of Concept

This issue is code-validated by inspection of the current implementation:

REST/WebUI/token are all mounted on a plain FastAPI(...) app
no TrustedHostMiddleware or equivalent host validation is applied
default bind is 0.0.0.0
MCP has separate rebinding protection, showing the project already recognizes the threat model

In a live deployment, the expected verification is:

# Victim-accessible Glances service
glances -w

# Attacker-controlled rebinding domain first resolves to attacker infra,
# then rebinds to the victim-local Glances IP.
# After rebind, attacker JS can fetch:
fetch("http://attacker.example:61208/api/4/status")
  .then(r => r.text())
  .then(console.log)

And if the operator exposes Glances without --password (supported and common), the attacker can read endpoints such as:

GET /api/4/status
GET /api/4/all
GET /api/4/config
GET /api/4/args
GET /api/4/serverslist

Even on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.

Impact

Remote read of local/internal REST data: DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.
Bypass of origin-based browser isolation: Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.
High-value chaining surface: This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.
Token surface exposure: The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.

Recommended Fix

Apply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:

from starlette.middleware.trustedhost import TrustedHostMiddleware

allowed_hosts = config.get_list_value(
    'outputs',
    'allowed_hosts',
    default=['localhost', '127.0.0.1'],
)

self._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)

At minimum:

reject requests whose Host header does not match an explicit allowlist
do not rely on 0.0.0.0 bind semantics as an access-control boundary
document that reverse-proxy deployments must set a strict host allowlist

References

glances/outputs/glances_mcp.py
glances/outputs/glances_restful_api.py
glances/main.py

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Glances"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32632"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-16T16:34:23Z",
    "nvd_published_at": "2026-03-18T18:16:28Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nGlances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist.\n\nAs a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.\n\nThis is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.\n\n## Details\n\nThe MCP endpoint now has explicit host-based transport security:\n\n```python\n# glances/outputs/glances_mcp.py\nself.mcp_allowed_hosts = [\"localhost\", \"127.0.0.1\"]\n...\nreturn TransportSecuritySettings(\n    allowed_hosts=allowed_hosts,\n    allowed_origins=allowed_origins,\n)\n```\n\nHowever, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:\n\n```python\n# glances/outputs/glances_restful_api.py\nself._app = FastAPI(default_response_class=GlancesJSONResponse)\n...\nself._app.add_middleware(\n    CORSMiddleware,\n    allow_origins=config.get_list_value(\u0027outputs\u0027, \u0027cors_origins\u0027, default=[\"*\"]),\n    allow_credentials=config.get_bool_value(\u0027outputs\u0027, \u0027cors_credentials\u0027, default=True),\n    allow_methods=config.get_list_value(\u0027outputs\u0027, \u0027cors_methods\u0027, default=[\"*\"]),\n    allow_headers=config.get_list_value(\u0027outputs\u0027, \u0027cors_headers\u0027, default=[\"*\"]),\n)\n...\nif self.args.password and self._jwt_handler is not None:\n    self._app.include_router(self._token_router())\nself._app.include_router(self._router())\n```\n\nThere is no `TrustedHostMiddleware`, no comparison against the configured bind host, and no allowlist enforcement for HTTP `Host` values on the REST/WebUI surface.\n\nThe default bind configuration also exposes the service on all interfaces:\n\n```python\n# glances/main.py\nparser.add_argument(\n    \u0027-B\u0027,\n    \u0027--bind\u0027,\n    default=\u00270.0.0.0\u0027,\n    dest=\u0027bind_address\u0027,\n    help=\u0027bind server to the given IPv4/IPv6 address or hostname\u0027,\n)\n```\n\nThis combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.\n\nThe token endpoint is also mounted on the same unprotected FastAPI app:\n\n```python\n# glances/outputs/glances_restful_api.py\ndef _token_router(self) -\u003e APIRouter:\n    ...\n    router.add_api_route(f\u0027{base_path}/token\u0027, self._api_token, methods=[\u0027POST\u0027], dependencies=[])\n```\n\n## Why This Is Exploitable\n\nIn a DNS rebinding attack:\n\n1. The attacker serves JavaScript from `https://attacker.example`.\n2. The victim visits that page while a Glances instance is reachable on the victim network.\n3. The attacker\u0027s DNS for `attacker.example` is rebound from the attacker\u0027s server to the Glances IP address.\n4. The victim browser now sends same-origin requests to `https://attacker.example`, but those requests are delivered to Glances.\n5. Because the Glances REST/WebUI app does not validate the `Host` header or enforce an allowed-host policy, it serves the response.\n6. The attacker-controlled JavaScript can read the response as same-origin content.\n\nThe MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.\n\n## Proof of Concept\n\nThis issue is code-validated by inspection of the current implementation:\n\n- REST/WebUI/token are all mounted on a plain `FastAPI(...)` app\n- no `TrustedHostMiddleware` or equivalent host validation is applied\n- default bind is `0.0.0.0`\n- MCP has separate rebinding protection, showing the project already recognizes the threat model\n\nIn a live deployment, the expected verification is:\n\n```bash\n# Victim-accessible Glances service\nglances -w\n\n# Attacker-controlled rebinding domain first resolves to attacker infra,\n# then rebinds to the victim-local Glances IP.\n# After rebind, attacker JS can fetch:\nfetch(\"http://attacker.example:61208/api/4/status\")\n  .then(r =\u003e r.text())\n  .then(console.log)\n```\n\nAnd if the operator exposes Glances without `--password` (supported and common), the attacker can read endpoints such as:\n\n```bash\nGET /api/4/status\nGET /api/4/all\nGET /api/4/config\nGET /api/4/args\nGET /api/4/serverslist\n```\n\nEven on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.\n\n## Impact\n\n- **Remote read of local/internal REST data:** DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.\n- **Bypass of origin-based browser isolation:** Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.\n- **High-value chaining surface:** This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.\n- **Token surface exposure:** The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.\n\n## Recommended Fix\n\nApply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:\n\n```python\nfrom starlette.middleware.trustedhost import TrustedHostMiddleware\n\nallowed_hosts = config.get_list_value(\n    \u0027outputs\u0027,\n    \u0027allowed_hosts\u0027,\n    default=[\u0027localhost\u0027, \u0027127.0.0.1\u0027],\n)\n\nself._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)\n```\n\nAt minimum:\n\n- reject requests whose `Host` header does not match an explicit allowlist\n- do not rely on `0.0.0.0` bind semantics as an access-control boundary\n- document that reverse-proxy deployments must set a strict host allowlist\n\n## References\n\n- `glances/outputs/glances_mcp.py`\n- `glances/outputs/glances_restful_api.py`\n- `glances/main.py`",
  "id": "GHSA-hhcg-r27j-fhv9",
  "modified": "2026-03-18T21:48:39Z",
  "published": "2026-03-16T16:34:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32632"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nicolargo/glances"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.