Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host header injection. This issue has been patched in version 2.2.0.
Published: 2026-06-12
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nezha Monitoring versions 1.0.0 through 2.1.x have a flaw in the OAuth2 redirect URL generation where the Host header from the HTTP request is concatenated with a fixed path without any validation. This allows an attacker to supply a forged Host header, causing the constructed callback URL to point to an arbitrary domain. The resulting open redirect can be used to lure users to phishing sites, steal credentials, or perform social engineering attacks. The weakness is classified as CWE‑601.

Affected Systems

Affected systems are deployments of Nezha Monitoring by nezhahq, specifically any installation from version 1.0.0 up to, but excluding, 2.2.0. The fix was released in version 2.2.0, which eliminates the unvalidated Host header usage.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate to high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue by sending a crafted HTTP request to the OAuth2 endpoint with a forged Host header; no authentication or privileged access is required. Because the flaw impacts the redirect flow, the primary risk exposure is user-facing phishing rather than direct code execution on the host.

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nezha Monitoring to version 2.2.0 or later.
  • Configure the reverse proxy or web server to validate the Host header, allowing only trusted domain names to be used for redirects.
  • If OAuth2 authentication is not required for your environment, disable the OAuth2 functionality to remove the vulnerable redirect path.

Generated by OpenCVE AI on June 12, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9rc6-8cjv-rcvx Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
History

Mon, 15 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Nezhahq
Nezhahq nezha
Vendors & Products Nezhahq
Nezhahq nezha

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host header injection. This issue has been patched in version 2.2.0.
Title Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T21:35:45.175Z

Reserved: 2026-06-09T17:30:33.456Z

Link: CVE-2026-53523

cve-icon Vulnrichment

Updated: 2026-06-15T21:35:35.643Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T22:16:52.523

Modified: 2026-06-15T22:16:18.307

Link: CVE-2026-53523

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:29:58Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')