Description
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,
Published: 2026-02-20
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft via forged password reset links
Action: Patch Immediately
AI Analysis

Impact

The vulnerability arises from Monica’s careless use of the HTTP Host header when generating absolute URLs in app/Providers/AppServiceProvider.php. Because the default configuration has app.force_url set to false, the framework accepts the client‑supplied Host header and inserts it into all generated URLs, including those that appear in password‑reset emails. A remote attacker can send a request with a malicious Host header, causing the password‑reset link to contain an attacker‑controlled domain. The victim, unwittingly clicking the link, can be redirected to a phishing site or have their credentials harvested. This flaw permits the attacker to gain unauthorized access to user accounts without needing to exploit additional vulnerabilities.

Affected Systems

The flaw affects the open‑source CRM product Monica version 4.1.2. The affected package is identified by cpe:2.3:a:monicahq:monica:4.1.2. No other versions or products are listed. Operators running that specific release should verify whether a newer safe release is available.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity. The EPSS score of less than 1% signifies that, at present, the likelihood of exploitation is low, and the issue is not referenced in the CISA Known Exploited Vulnerabilities database. Nonetheless, this flaw can be exploited by a remote attacker over the network by supplying a malicious Host header when initiating a password‑reset request. The attacker does not need privileged access or to compromise the underlying operating system; the attack simply redirects the victim to a spoofed domain where credentials can be phished.

Generated by OpenCVE AI on April 18, 2026 at 11:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Monica to a version where the Host header validation is fixed
  • Set the app.force_url configuration value in .env to your trusted domain to override the user‑supplied Host header
  • If an upgrade or configuration change is not immediately possible, restrict the password‑reset endpoint to only serve requests from a pre‑defined list of approved origins or disable the feature until patched

Generated by OpenCVE AI on April 18, 2026 at 11:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Title Host Header Poisoning in Monica 4.1.2 Enables Phished Password Reset Links

Thu, 26 Feb 2026 02:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:monicahq:monica:4.1.2:*:*:*:*:*:*:*

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-644
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Monicahq
Monicahq monica
Vendors & Products Monicahq
Monicahq monica

Fri, 20 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Description A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,
References

Subscriptions

Monicahq Monica
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-23T20:37:29.313Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26747

cve-icon Vulnrichment

Updated: 2026-02-23T20:35:16.038Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T17:25:56.023

Modified: 2026-02-26T02:42:23.743

Link: CVE-2026-26747

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses