What is the CVSS score of CVE-2026-53523?

CVE-2026-53523 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-53523?

Yes, a patch is available for CVE-2026-53523. Update the affected software to the latest version immediately.

Nezha Monitoring CVE-2026-53523

EUVD-2026-36602 MEDIUM

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-06-12 GitHub_M

Open Redirect Nezha

6.8

CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

6.8 MEDIUM

AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

vuln.today AI

6.8 MEDIUM

Network vector with high complexity for Host header manipulation; no privileges required but victim must complete OAuth flow for token exfiltration.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Jun 12, 2026 - 23:01 EUVD

Analysis Generated

Jun 12, 2026 - 22:21 vuln.today

DescriptionCVE.org

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header. This can result in host header injection. This issue has been patched in version 2.2.0.

AnalysisAI

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redirect OAuth2 callback URLs to attacker-controlled domains, enabling OAuth token theft and account takeover. The flaw resides in the getRedirectURL function (oauth2.go:22-29), which blindly concatenates the HTTP request's Host header with a fixed path when constructing the OAuth2 redirect URL, with no allowlisting or validation performed. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Nezha instance with OAuth2 enabled

Delivery

Craft OAuth2 login URL with malicious Host header

Exploit

Deliver phishing link to target administrator

Install

Victim initiates OAuth2 authentication flow

Nezha constructs callback URL using injected Host

Execute

OAuth authorization code delivered to attacker domain

Impact

Attacker exchanges code for session access

Recon

Identify Nezha instance with OAuth2 enabled

Delivery

Craft OAuth2 login URL with malicious Host header

Exploit

Deliver phishing link to target administrator

Install

Victim initiates OAuth2 authentication flow

Nezha constructs callback URL using injected Host

Execute

OAuth authorization code delivered to attacker domain

Impact

Attacker exchanges code for session access

Vulnerability AssessmentAI

Exploitation	Exploitation requires three concurrent conditions: (1) The target Nezha Monitoring instance must have OAuth2 authentication configured and enabled - instances using only local/password authentication do not exercise the vulnerable getRedirectURL code path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The NVD CVSS 3.1 score of 6.8 with vector AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N represents a moderate-to-high real-world risk under the right deployment conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker targeting a Nezha instance with OAuth2 enabled and no Host-normalizing reverse proxy crafts a link to the instance's OAuth2 initiation endpoint, ensuring the HTTP Host header is set to an attacker-controlled domain. The attacker socially engineers a Nezha administrator - via email, messaging, or a watering-hole page - into clicking the link and completing the OAuth2 login flow; the OAuth authorization code or token is then delivered to the attacker's server, granting full account access. …
Remediation	Vendor-released patch: version 2.2.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-50089 MEDIUM This Month

6.1 Jun 12

Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara

CVE-2026-10837 MEDIUM This Month

5.1 Jun 17

Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP

CVE-2026-10839 MEDIUM This Month

5.1 Jun 17

Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to

CVE-2026-54276 MEDIUM This Month

Jun 15

DigestAuthMiddleware in aiohttp leaks HTTP Digest authentication credentials to attacker-controlled cross-origin redirec

CVE-2026-53523 vulnerability details – vuln.today

Back

Nezha Monitoring CVE-2026-53523

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Share

External POC / Exploit Code