CVE-2026-53523 is a medium-severity open redirect vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 1.0.0, < 2.2.0. It is fixed in 2.2.0.
Description The getRedirectURL function in oauth2.go:22-29 constructs the OAuth2 callback URL by concatenating the request's Host header with a fixed path, with zero validation of the Host header: File: cmd/dashboard/controller/oauth2.go:22-29 This function is called from oauth2redirect() at line 53: The redirectURL is passed into o2confRaw.Setup(redirectURL) which configures the OAuth2 Config.RedirectURL field (oauth2config.go:22-33). This RedirectURL is sent to the OAuth2 provider (e.g., GitHub, Google, Microsoft) as the callback endpoint. The OAuth2 provider will redirect the user's browser, along with the authorization code, to this URL after the user authenticates. The security issue is that c.Request.Host is directly user-controllable via the HTTP Host header. An attacker who can control which Host header reaches the oauth2redirect handler can: Set Host: evil.com getRedirectURL returns https://evil.com/api/v1/oauth2/callback The OAuth2 provider redirects the victim's auth code to evil.com The attacker's server at evil.com captures the auth code The attacker exchanges the code for an access token, binding the victim's OAuth identity to the attacker's dashboard account The scheme detection (lines 24-27) uses X-Forwarded-Proto and the Referer header, both of which are also user-controllable in certain configurations, so the attacker can force https:// scheme in the redirect URL. The oauth2callback handler at line 129 later uses state.RedirectURL (which is stored in singleton.Cache at line 65) when calling exchangeOpenId at line 152. The cached redirectURL was set during the initial oauth2redirect call, tying the attack flow together. PoC A conceptual attack (no Docker needed): Prerequisites for full exploit: The victim must click the attacker's crafted link The OAuth2 provider must accept the attacker's domain as a valid redirect URI (some providers accept https:/// or allow wildcards; others are strict) Impact Account takeover: an attacker who intercepts the OAuth2 authorization code can bind the victim's OAuth identity (GitHub, Google, GitLab, etc.) to their own dashboard account, gaining the victim's access level and permissions Privilege escalation: if the victim is an admin, the attacker gains full administrative control over the Nezha deployment, access to all servers, credentials, and configuration Persistence: once bound, the attacker retains access even if the victim resets their password (unless they also unbind the OAuth2 identity) The attack complexity is higher than typical Host header injection scenarios because it requires: The Host header to reach the dashboard's handler unmodified (bypassing reverse proxy normalization) The OAuth2 provider to have loose redirect URL validation User interaction (the victim must authenticate) However, the code-level vulnerability is unambiguous: the application trusts attacker-controlled input (Host header) for a security-critical URL that participates in the OAuth2 authorization code flow. Remediation Validate the Host header against a configured allowlist of known dashboard hostnames: go func getRedirectURL(c gin.Context) string { host := c.Request.Host if !singleton.Conf.IsAllowedHost(host) { host = singleton.Conf.DashboardBaseURL // fallback } // ... } Pin the redirect URL to the configured dashboard URL from singleton.Conf instead of deriving it from the request Host header: go func getRedirectURL(c gin.Context) string { return singleton.Conf.DashboardBaseURL + "/api/v1/oauth2/callback" } Remove Host header-based URL construction entirely, the OAuth2 redirect URL should be deterministic based on server configuration, not dynamic per-request Add Host header validation middleware for all OAuth2-related endpoints as defense-in-depth
Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites. Typical impact: phishing and credential harvesting via a trusted domain.
CVE-2026-53523 has a CVSS score of 6.8 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.2.0). Upgrading removes the vulnerable code path.
go
github.com/nezhahq/nezha (>= 1.0.0, < 2.2.0)github.com/nezhahq/nezha → 2.2.0 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-53523 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-53523 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-53523 in your environment →Upgrade github.com/nezhahq/nezha to 2.2.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-53523 is a medium-severity open redirect vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 1.0.0, < 2.2.0. It is fixed in 2.2.0. Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites.
CVE-2026-53523 has a CVSS score of 6.8 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/nezhahq/nezha (go) versions >= 1.0.0, < 2.2.0 is affected.
Yes. CVE-2026-53523 is fixed in 2.2.0. Upgrade to this version or later.
Whether CVE-2026-53523 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/nezhahq/nezha to 2.2.0 or later.