DEBIAN-CVE-2026-32632
- Source
- https://security-tracker.debian.org/tracker/CVE-2026-32632
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-32632.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-32632
- Upstream
- Published
- 2026-03-18T18:16:28.760Z
- Modified
- 2026-06-11T09:04:06.677005248Z
- Summary
- [none]
- Details
-
Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary
Hostheaders and does not applyTrustedHostMiddlewareor an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue. - References
Affected packages
Debian:12 / glances
Package
- Name
- glances
- Purl
- pkg:deb/debian/glances?arch=source&distro=bookworm
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:13 / glances
Package
- Name
- glances
- Purl
- pkg:deb/debian/glances?arch=source&distro=trixie
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Debian:14 / glances
Package
- Name
- glances
- Purl
- pkg:deb/debian/glances?arch=source&distro=forky