PatchSiren cyber security CVE debrief
CVE-2026-53523 nezhahq CVE debrief
CVE-2026-53523 is a medium-severity vulnerability in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. Versions from 1.0.0 to before 2.2.0 are affected by a host header injection issue due to improper validation of the Host header in the getRedirectURL function. This vulnerability, with a CVSS score of 6.8, can be exploited through user interaction and requires no privileges. It has been patched in version 2.2.0.
- Vendor
- nezhahq
- Product
- nezha
- CVSS
- MEDIUM 6.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Nezha Monitoring versions 1.0.0 through 2.1.0 should update to version 2.2.0 or later to mitigate this vulnerability.
Technical summary
The getRedirectURL function in oauth2.go (lines 22-29) constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, without proper validation of the Host header. This allows for host header injection attacks.
Defensive priority
Medium
Recommended defensive actions
- Update Nezha Monitoring to version 2.2.0 or later.
- Review and validate user input, especially the Host header, to prevent similar vulnerabilities.
Evidence notes
CVE-2026-53523 has been patched in version 2.2.0. For more information, see [ref-4](https://github.com/nezhahq/nezha/security/advisories/GHSA-9rc6-8cjv-rcvx).
Official resources
-
CVE-2026-53523 CVE record
CVE.org
-
CVE-2026-53523 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-53523 was published on 2026-06-12T22:16:52.523Z and has not been modified since.