CVE-2026-32632 Overview
CVE-2026-32632 is a DNS rebinding vulnerability affecting Glances, an open-source cross-platform system monitoring tool. Prior to version 4.5.2, the main REST/WebUI FastAPI application accepts arbitrary Host headers without applying TrustedHostMiddleware or an equivalent host allowlist. This allows attackers to bypass same-origin policy protections through DNS rebinding attacks, potentially exposing sensitive system monitoring data and API endpoints to malicious actors.
Critical Impact
Attackers can leverage DNS rebinding to access Glances REST API, WebUI, and token endpoints through attacker-controlled domains, bypassing browser same-origin protections and potentially accessing sensitive system monitoring information.
Affected Products
- Nicolargo Glances versions prior to 4.5.2
- Glances REST API endpoints
- Glances WebUI interface
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-32632 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32632
Vulnerability Analysis
This vulnerability stems from the lack of host header validation in Glances' FastAPI application. While Glances had previously implemented DNS rebinding protection for the MCP endpoint, the main REST API and WebUI remained unprotected. The vulnerability is classified under CWE-346 (Origin Validation Error), indicating an improper validation of the origin of the request.
The attack requires user interaction—specifically, a victim must visit an attacker-controlled website while having access to a Glances instance on their network. Once the attacker's domain is rebound to the Glances service IP address, the browser treats requests to the malicious domain as same-origin with the Glances target, completely bypassing same-origin policy protections.
It's important to note that this is a distinct issue from typical CORS weaknesses. CORS headers are not required for exploitation because DNS rebinding causes the victim's browser to treat the malicious domain as same-origin with the target service.
Root Cause
The root cause is the absence of host header validation in the FastAPI application handling REST API and WebUI requests. Without TrustedHostMiddleware or an equivalent mechanism to validate incoming Host headers against an allowlist, the application accepts requests regardless of which domain they appear to originate from. This architectural oversight allows DNS rebinding attacks to succeed even when other security measures like CORS are properly configured.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must:
- Control a domain and its DNS records
- Lure a victim to visit an attacker-controlled webpage
- Use DNS rebinding to point the attacker's domain to the victim's Glances instance IP
- Execute JavaScript in the victim's browser to make requests to the rebinding domain
- Access Glances API endpoints, WebUI, and token endpoints as if they were same-origin
The following patch shows how the vulnerability was addressed by implementing TrustedHostMiddleware:
allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
+ # FastAPI Enable DNS rebinding protection via Host header validation
+ # When webui_allowed_hosts is configured, requests with a Host header
+ # not in the allowlist are rejected with 400 Bad Request.
+ if self.webui_allowed_hosts:
+ from starlette.middleware.trustedhost import TrustedHostMiddleware
+
+ self._app.add_middleware(TrustedHostMiddleware, allowed_hosts=self.webui_allowed_hosts)
+ logger.info(f"TrustedHostMiddleware enabled (allowed hosts: {self.webui_allowed_hosts})")
+
# FastAPI Define routes
# Token endpoint router (no authentication required) - must be added first
if self.args.password and self._jwt_handler is not None:
Source: GitHub Commit Details
Detection Methods for CVE-2026-32632
Indicators of Compromise
- Unusual or unexpected Host headers in Glances web server access logs that don't match legitimate hostnames
- API requests originating from unfamiliar domains or IP addresses in server logs
- Unexplained access to Glances WebUI or REST API from external networks
- Authentication token requests from sources other than expected client systems
Detection Strategies
- Monitor web server logs for requests containing Host headers that don't match configured server names or IP addresses
- Implement network-level monitoring to detect DNS rebinding patterns, such as rapid DNS record changes for domains accessing internal services
- Review Glances access logs for API calls originating from unexpected browser user-agents combined with unusual Host headers
- Deploy intrusion detection rules to flag HTTP requests to internal services with external domain Host headers
Monitoring Recommendations
- Enable verbose logging in Glances to capture all incoming request headers for forensic analysis
- Configure network security tools to alert on DNS rebinding indicators such as TTL values near zero for domains accessing internal resources
- Implement browser-side monitoring in corporate environments to detect JavaScript-based DNS rebinding exploitation attempts
- Regularly audit Glances configuration files to ensure webui_allowed_hosts is properly configured after upgrading
How to Mitigate CVE-2026-32632
Immediate Actions Required
- Upgrade Glances to version 4.5.2 or later immediately
- Configure the webui_allowed_hosts setting in glances.conf with specific allowed hostnames and IP addresses
- Restrict network access to Glances instances using firewall rules to limit exposure
- Review access logs for any signs of exploitation prior to patching
Patch Information
The vulnerability is patched in Glances version 4.5.2. The fix introduces support for TrustedHostMiddleware via a new configuration option. Security patches are available through:
Workarounds
- If upgrading is not immediately possible, place Glances behind a reverse proxy that validates Host headers before forwarding requests
- Implement network segmentation to ensure Glances instances are not accessible from untrusted networks
- Bind Glances to localhost only (127.0.0.1) if remote access is not required
- Use VPN or SSH tunneling for remote access to Glances instead of exposing the service directly
The following configuration example shows how to enable DNS rebinding protection after upgrading:
# DNS rebinding protection for the REST API / WebUI
# Restrict the HTTP Host header accepted by the web server.
# Comma-separated list of hostnames or IPs. Wildcards are supported (e.g. *.example.com).
# When this key is absent or commented out, no host filtering is applied (default behaviour).
# Recommended for any internet-facing or multi-tenant deployment.
webui_allowed_hosts=localhost,127.0.0.1,myserver.example.com
Source: GitHub Commit Details
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
