CVE-2026-26747
Published: 20 February 2026
Summary
CVE-2026-26747 is a critical-severity Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-644) vulnerability in Monicahq Monica. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and remediation of software flaws, directly addressing the improper Host header handling in app/Providers/AppServiceProvider.php for this CVE.
CM-6 enforces secure configuration settings like setting 'app.force_url' to a trusted value, preventing the application from generating absolute URLs from user-supplied Host headers.
SI-10 mandates information input validation at entry points, such as validating the HTTP Host header against expected domains to block poisoning attempts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Host header poisoning in public-facing web app (Monica) directly enables T1190 exploitation to generate malicious password-reset URLs; this facilitates T1566.002 by delivering attacker-controlled reset links via email for account takeover/phishing.
NVD Description
A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the "app.force_url" is not set and default is "false". The application generates absolute URLs…
more
(such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,
Deeper analysisAI
CVE-2026-26747 is a Host Header Poisoning vulnerability in Monica 4.1.2, stemming from improper handling of the HTTP Host header in the file app/Providers/AppServiceProvider.php. This issue is compounded by the default misconfiguration where the "app.force_url" setting is not defined and defaults to "false", causing the application to generate absolute URLs—such as those embedded in password reset emails—directly from the user-supplied Host header.
Remote attackers can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), achieving high impacts on confidentiality (C:H) and integrity (I:H) without affecting availability (A:N). The CVSS v3.1 base score is 9.1, mapped to CWE-644. By poisoning the Host header in requests that trigger password reset emails, attackers can manipulate the links sent to victims, enabling account takeover or phishing via redirected reset URLs.
Mitigation details and further analysis are documented in the referenced advisory at https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md, with the affected Monica repository available at https://github.com/monicahq/monica.
Details
- CWE(s)