CVE-2026-53523
published 2026-06-12CVE-2026-53523: Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL…
PriorityP335medium6.8CVSS 3.1
AVNACHPRNUIRSUCHIHAN
EPSS
0.23%
14.2th percentile
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host header injection. This issue has been patched in version 2.2.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | nezhahq_nezha | >= 1.0.0 < 2.2.0 | 2.2.0 |
| nezhahq | nezha | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
ghsa·2026-06-26
CVE-2026-53523 [MEDIUM] CWE-601 Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection
## 1. Description
The `getRedirectURL` function in `oauth2.go:22-29` constructs the OAuth2 callback URL by concatenating the request's `Host` header with a fixed path, with **zero validation** of the Host header:
```go
func getRedirectURL(c *gin.Context) string {
scheme := "http://"
referer := c.Request.Referer()
if forwardedProto := c.Request.Header.Get("X-Forwarded-Proto"); forwardedProto == "https" || strings.HasPrefix(referer, "https://") {
scheme = "https://"
}
return scheme + c.Request.Host + "/api/v1/oauth2/callback"
}
```
**File:** `cmd/dashboard/controller/oauth2.go:22-29`
This function is called from `oauth2redirect()` at line 53:
```go
func oauth2redirect(c *gin.Context) (*model.Oauth2LoginResponse, error) {
// .
VulDB
nezhahq nezha up to 2.1.x Header oauth2.go getRedirectURL Host redirect (GHSA-9rc6-8cjv-rcvx)
vuldb·2026-06-13·CVSS 6.8
CVE-2026-53523 [MEDIUM] nezhahq nezha up to 2.1.x Header oauth2.go getRedirectURL Host redirect (GHSA-9rc6-8cjv-rcvx)
A vulnerability, which was classified as problematic, was found in nezhahq nezha up to 2.1.x. Affected by this issue is the function getRedirectURL of the file oauth2.go of the component Header Handler. Such manipulation of the argument Host leads to open redirect.
This vulnerability is listed as CVE-2026-53523. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-12
Published