CVE-2026-32632

Name of the Vulnerable Software and Affected Versions Glances versions prior to 4.5.2

Description Glances, a system cross-platform monitoring tool, had insufficient host validation in its main REST/WebUI FastAPI application prior to version 4.5.2. This allowed the REST API, WebUI, and token endpoint to be reachable through attacker-controlled domains in DNS rebinding scenarios. Once a victim's browser has rebound an attacker's domain to the Glances service, the same-origin policy is bypassed because the browser considers the rebinding domain to be the origin. This issue is separate from a previously reported CORS weakness, as CORS is not required for exploitation due to the DNS rebinding causing the browser to treat the malicious domain as same-origin. The application initializes without any host validation middleware, and the default bind configuration exposes the service on all interfaces. The Host header is not validated, and no allowlist enforcement is present for HTTP Host values on the REST/WebUI surface. The token endpoint is also vulnerable as it is mounted on the same unprotected FastAPI application. This could lead to remote read of local REST data, bypass of origin-based browser isolation, and an increased attack surface for chaining with other authenticated browser issues.

Recommendations Versions prior to 4.5.2 should be updated to version 4.5.2 or later.