CVE-2026-26747
Received Received - Intake
Host Header Poisoning in Monica 4.1.2 Enables Password Reset Hijacking

Publication date: 2026-02-20

Last updated on: 2026-02-26

Assigner: MITRE

Description
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26747
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
monicahq monica 4.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-644 The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the Host Header Poisoning vulnerability in Monica 4.1.2, you should configure the application to properly handle the HTTP Host header.'}, {'type': 'list_item', 'content': 'Set the "app.force_url" configuration to a fixed, trusted URL instead of leaving it as the default false.'}, {'type': 'list_item', 'content': 'Ensure that the application does not generate absolute URLs based on user-supplied Host headers.'}, {'type': 'list_item', 'content': 'Apply any available patches or updates from the Monica project that address this issue.'}] [2]

Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'This vulnerability is a Host Header Poisoning issue in Monica version 4.1.2. It occurs because the application improperly handles the HTTP Host header in the file app/Providers/AppServiceProvider.php. When the "app.force_url" setting is not configured and defaults to false, the application uses the user-supplied Host header to generate absolute URLs, such as those included in password reset emails.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending a malicious Host header, which causes the application to generate a poisoned password reset link. This link is then sent to the victim, potentially redirecting them to a malicious site or enabling further attacks.'}] [2]

Impact Analysis

This vulnerability can impact you by allowing remote attackers to manipulate password reset links sent to users. This can lead to phishing attacks where victims are tricked into clicking malicious links, potentially compromising their accounts or personal information.

It undermines the trustworthiness of password reset processes and can facilitate unauthorized access or credential theft if users interact with the poisoned links.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26747. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart