GHSA-hhcg-r27j-fhv9

Опубликовано: 16 мар. 2026

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding

Summary

Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist.

As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.

This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.

Details

The MCP endpoint now has explicit host-based transport security:

# glances/outputs/glances_mcp.py self.mcp_allowed_hosts = ["localhost", "127.0.0.1"] ... return TransportSecuritySettings( allowed_hosts=allowed_hosts, allowed_origins=allowed_origins, )

However, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:

# glances/outputs/glances_restful_api.py self._app = FastAPI(default_response_class=GlancesJSONResponse) ... self._app.add_middleware( CORSMiddleware, allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]), allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True), allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]), allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]), ) ... if self.args.password and self._jwt_handler is not None: self._app.include_router(self._token_router()) self._app.include_router(self._router())

There is no TrustedHostMiddleware, no comparison against the configured bind host, and no allowlist enforcement for HTTP Host values on the REST/WebUI surface.

The default bind configuration also exposes the service on all interfaces:

# glances/main.py parser.add_argument( '-B', '--bind', default='0.0.0.0', dest='bind_address', help='bind server to the given IPv4/IPv6 address or hostname', )

This combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.

The token endpoint is also mounted on the same unprotected FastAPI app:

# glances/outputs/glances_restful_api.py def _token_router(self) -> APIRouter: ... router.add_api_route(f'{base_path}/token', self._api_token, methods=['POST'], dependencies=[])

Why This Is Exploitable

In a DNS rebinding attack:

The attacker serves JavaScript from https://attacker.example.
The victim visits that page while a Glances instance is reachable on the victim network.
The attacker's DNS for attacker.example is rebound from the attacker's server to the Glances IP address.
The victim browser now sends same-origin requests to https://attacker.example, but those requests are delivered to Glances.
Because the Glances REST/WebUI app does not validate the Host header or enforce an allowed-host policy, it serves the response.
The attacker-controlled JavaScript can read the response as same-origin content.

The MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.

Proof of Concept

This issue is code-validated by inspection of the current implementation:

REST/WebUI/token are all mounted on a plain FastAPI(...) app
no TrustedHostMiddleware or equivalent host validation is applied
default bind is 0.0.0.0
MCP has separate rebinding protection, showing the project already recognizes the threat model

In a live deployment, the expected verification is:

# Victim-accessible Glances service glances -w # Attacker-controlled rebinding domain first resolves to attacker infra, # then rebinds to the victim-local Glances IP. # After rebind, attacker JS can fetch: fetch("http://attacker.example:61208/api/4/status") .then(r => r.text()) .then(console.log)

And if the operator exposes Glances without --password (supported and common), the attacker can read endpoints such as:

GET /api/4/status GET /api/4/all GET /api/4/config GET /api/4/args GET /api/4/serverslist

Even on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.

Impact

Remote read of local/internal REST data: DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.
Bypass of origin-based browser isolation: Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.
High-value chaining surface: This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.
Token surface exposure: The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.

Recommended Fix

Apply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:

from starlette.middleware.trustedhost import TrustedHostMiddleware allowed_hosts = config.get_list_value( 'outputs', 'allowed_hosts', default=['localhost', '127.0.0.1'], ) self._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)

At minimum:

reject requests whose Host header does not match an explicit allowlist
do not rely on 0.0.0.0 bind semantics as an access-control boundary
document that reverse-proxy deployments must set a strict host allowlist

References

glances/outputs/glances_mcp.py
glances/outputs/glances_restful_api.py
glances/main.py

Ссылки

Пакеты

Наименование

Glances

pip

Затронутые версииВерсия исправления

< 4.5.2

4.5.2

EPSS

Процентиль: 4%

0.00016

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2026-32632

Дефекты

CWE-346

Связанные уязвимости

CVE-2026-32632

CVSS3: 5.9

ubuntu

11 дней назад

Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.

CVE-2026-32632

CVSS3: 5.9

nvd

11 дней назад

CVE-2026-32632

CVSS3: 5.9

debian

11 дней назад

Glances is an open-source system cross-platform monitoring tool. Glanc ...

EPSS

Процентиль: 4%

0.00016

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2026-32632

Дефекты

CWE-346