CVE-2026-26747
Host Header Poisoning in Monica 4.1.2 Enables Password Reset Hijacking
Publication date: 2026-02-20
Last updated on: 2026-02-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| monicahq | monica | 4.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-644 | The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate the Host Header Poisoning vulnerability in Monica 4.1.2, you should configure the application to properly handle the HTTP Host header.'}, {'type': 'list_item', 'content': 'Set the "app.force_url" configuration to a fixed, trusted URL instead of leaving it as the default false.'}, {'type': 'list_item', 'content': 'Ensure that the application does not generate absolute URLs based on user-supplied Host headers.'}, {'type': 'list_item', 'content': 'Apply any available patches or updates from the Monica project that address this issue.'}] [2]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability is a Host Header Poisoning issue in Monica version 4.1.2. It occurs because the application improperly handles the HTTP Host header in the file app/Providers/AppServiceProvider.php. When the "app.force_url" setting is not configured and defaults to false, the application uses the user-supplied Host header to generate absolute URLs, such as those included in password reset emails.'}, {'type': 'paragraph', 'content': 'An attacker can exploit this by sending a malicious Host header, which causes the application to generate a poisoned password reset link. This link is then sent to the victim, potentially redirecting them to a malicious site or enabling further attacks.'}] [2]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing remote attackers to manipulate password reset links sent to users. This can lead to phishing attacks where victims are tricked into clicking malicious links, potentially compromising their accounts or personal information.
It undermines the trustworthiness of password reset processes and can facilitate unauthorized access or credential theft if users interact with the poisoned links.