Python
CVE-2026-32632
MEDIUM
Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist.
As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.
This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.
Details
The MCP endpoint now has explicit host-based transport security:
# glances/outputs/glances_mcp.py
self.mcp_allowed_hosts = ["localhost", "127.0.0.1"]
...
return TransportSecuritySettings(
allowed_hosts=allowed_hosts,
allowed_origins=allowed_origins,
)However, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:
# glances/outputs/glances_restful_api.py
self._app = FastAPI(default_response_class=GlancesJSONResponse)
...
self._app.add_middleware(
CORSMiddleware,
allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]),
allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True),
allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]),
allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
...
if self.args.password and self._jwt_handler is not None:
self._app.include_router(self._token_router())
self._app.include_router(self._router())There is no TrustedHostMiddleware, no comparison against the configured bind host, and no allowlist enforcement for HTTP Host values on the REST/WebUI surface.
The default bind configuration also exposes the service on all interfaces:
# glances/main.py
parser.add_argument(
'-B',
'--bind',
default='0.0.0.0',
dest='bind_address',
help='bind server to the given IPv4/IPv6 address or hostname',
)This combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.
The token endpoint is also mounted on the same unprotected FastAPI app:
# glances/outputs/glances_restful_api.py
def _token_router(self) -> APIRouter:
...
router.add_api_route(f'{base_path}/token', self._api_token, methods=['POST'], dependencies=[])Why This Is Exploitable
In a DNS rebinding attack:
- The attacker serves JavaScript from
https://attacker.example. - The victim visits that page while a Glances instance is reachable on the victim network.
- The attacker's DNS for
attacker.exampleis rebound from the attacker's server to the Glances IP address. - The victim browser now sends same-origin requests to
https://attacker.example, but those requests are delivered to Glances. - Because the Glances REST/WebUI app does not validate the
Hostheader or enforce an allowed-host policy, it serves the response. - The attacker-controlled JavaScript can read the response as same-origin content.
The MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.
Proof of Concept
This issue is code-validated by inspection of the current implementation:
- REST/WebUI/token are all mounted on a plain
FastAPI(...)app - no
TrustedHostMiddlewareor equivalent host validation is applied - default bind is
0.0.0.0 - MCP has separate rebinding protection, showing the project already recognizes the threat model
In a live deployment, the expected verification is:
# Victim-accessible Glances service
glances -w
# Attacker-controlled rebinding domain first resolves to attacker infra,
# then rebinds to the victim-local Glances IP.
# After rebind, attacker JS can fetch:
fetch("http://attacker.example:61208/api/4/status")
.then(r => r.text())
.then(console.log)And if the operator exposes Glances without --password (supported and common), the attacker can read endpoints such as:
GET /api/4/status
GET /api/4/all
GET /api/4/config
GET /api/4/args
GET /api/4/serverslistEven on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.
Impact
- Remote read of local/internal REST data: DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.
- Bypass of origin-based browser isolation: Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.
- High-value chaining surface: This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.
- Token surface exposure: The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.
Recommended Fix
Apply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:
from starlette.middleware.trustedhost import TrustedHostMiddleware
allowed_hosts = config.get_list_value(
'outputs',
'allowed_hosts',
default=['localhost', '127.0.0.1'],
)
self._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)At minimum:
- reject requests whose
Hostheader does not match an explicit allowlist - do not rely on
0.0.0.0bind semantics as an access-control boundary - document that reverse-proxy deployments must set a strict host allowlist
References
glances/outputs/glances_mcp.pyglances/outputs/glances_restful_api.pyglances/main.py
AnalysisAI
The Glances system monitoring application accepts arbitrary HTTP Host headers on its REST API and WebUI endpoints, enabling DNS rebinding attacks that bypass browser same-origin policy and expose sensitive system data. While the MCP endpoint was recently hardened with host validation, the main FastAPI application for REST/WebUI/token routes lacks equivalent TrustedHostMiddleware protection, allowing attackers to rebind attacker-controlled domains to the victim's local Glances instance and read API responses as same-origin content. A proof-of-concept is code-validated through source inspection, and a patch is available in version 4.5.2 and later.
Technical ContextAI
This vulnerability exploits the interaction between DNS rebinding and host header validation in web services. Glances (pkg:pip/glances) is a system monitoring tool that exposes a FastAPI-based REST API and WebUI on configurable network interfaces, with default binding to 0.0.0.0. The root cause is CWE-346 (Origin Validation Error), where the application does not enforce TrustedHostMiddleware or an equivalent allowlist mechanism on the main REST/WebUI FastAPI application, unlike the MCP endpoint which already implements host-based transport security. FastAPI and Starlette provide TrustedHostMiddleware specifically for this purpose, but the vulnerable code paths in glances/outputs/glances_restful_api.py initialize the main _app without any host validation, creating a discrepancy with the already-hardened MCP code in glances/outputs/glances_mcp.py. The default bind configuration in glances/main.py (0.0.0.0) further exposes the service on all interfaces, making it reachable from victim machines once DNS rebinding occurs.
RemediationAI
Upgrade Glances to version 4.5.2 or later immediately (see https://github.com/nicolargo/glances/releases/tag/v4.5.2). The vendor patch applies TrustedHostMiddleware to the main FastAPI application with an explicit allowlist defaulting to localhost and 127.0.0.1, consistent with the MCP hardening approach. For deployments that cannot upgrade immediately, implement host validation at the reverse proxy or firewall layer: restrict access to Glances to trusted networks only, enforce a reverse proxy with strict Host header validation and HTTPS-only connections with HSTS headers, and configure Glances to bind only to 127.0.0.1 or specific internal IPs rather than 0.0.0.0. Document that reverse-proxy deployments must set an explicit allowed_hosts allowlist in the Glances configuration to prevent rebinding attacks through proxy Host header spoofing. Enable the --password authentication option to require credentials even on local access, reducing the attack surface for unauthenticated endpoints.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-346 – Origin Validation Error
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-hhcg-r27j-fhv9