Anyone Could Have Taken Over Your Monica Account
If you self-host Monica to keep the threads of your personal life in one place, there's a question worth sitting with for a moment: how sure are you that you're the only person who can get into your account? Not because you picked a weak password. Not because someone talked you into handing it over. Because of the way affected installations of Monica handled a routine part of the password-reset process, the path back into an account could be quietly redirected, so that the one-time link meant to return you to your data could be steered to someone else instead. No password required. No existing access. Just your email address. In April 2026, NoScope found it.
What a Monica account actually holds
Before anything else, it's worth being specific about what's at stake. Monica isn't a spreadsheet of business contacts. It's where people record the texture of their relationships: family members and how they're related, the names of someone's children, a parent's upcoming surgery, what was said in a difficult conversation, debts and favours, gift ideas, the small private notes you keep so you don't forget what matters to the people in your life. It is, in effect, a diary of everyone you care about.
The only thing standing between that diary and the rest of the world is supposed to be your password, and the quiet assurance that a password-reset link is a private bridge that leads back to you and no one else. On affected installations, that assurance didn't hold. And on a shared family or team instance, an administrator account doesn't open one diary, it opens everyone's.
What NoScope found
The NoScope pentesting agent approaches a target the way an attacker does, working through a methodology refined by in-the-field experience from real pentesters. Its value isn't the exotic, deeply chained exploit that comes to mind when people picture offensive security. It's the discipline to run the simple checks too, the ones so basic they're easy to assume have already been covered on a product this established.
This finding lived in exactly that kind of place. Account recovery is about as routine as a feature gets, and the test that surfaced the flaw wasn't clever, it was elementary: the sort of check that looks too simple to be worth running against a mature, widely deployed platform. That is precisely why it had the room to survive. The cases that feel too obvious to fail are the ones attention drifts past.
The full impact was then confirmed by our testing team in a controlled environment, against a Monica instance configured the way the project's own documentation and community widely guide operators to configure it when running behind a reverse proxy. The finding reproduced cleanly.
On affected installations, the account-recovery process did not deliver the guarantee operators reasonably expected: that the link returning a user to their account could only ever return it to them. The mechanism is deliberately withheld in this publication. Full technical details have been shared with the Monica maintainer team.
A quiet flaw in a trusted corner
Account recovery is foundational. It ships early, it rarely changes, and once it appears to work, it stops getting looked at. Operators trust it the way they trust a lock they've never had reason to test. That trust is reasonable, and it's also exactly why a weakness here can sit unnoticed: the feature behaves correctly for every legitimate user, every day, while quietly behaving differently for someone willing to ask it the wrong question.
There's a quiet bias in how software gets tested. Effort flows toward the complex and the new, the features that look like they might break. The plumbing that has worked since day one gets the benefit of the doubt, and a check this basic is easy to assume someone, at some point, already ran. Often no one did.
NoScope doesn't extend that benefit of the doubt. It runs the elementary checks with the same rigour as the elaborate ones, regardless of how settled or how simple a feature looks from the outside. This finding is what that produces in practice.
Responsible disclosure
NoScope notified the Monica maintainer team on 13 April 2026. Follow-ups were sent on April 16, April 29, May 31, and June 2, with the final message giving the team a 3-day window before publication. No response was received at any point.
This post is published with the mechanism deliberately withheld for that reason: operators deserve to know enough to protect themselves, without anyone being handed a blueprint to act on. No vulnerable endpoint, parameter, or reproduction detail appears here. The full technical write-up remains with the maintainers and will be released once a fix is available.
Immediate mitigation: Pin your instance to its real address. Set APP_URL in your configuration to the canonical URL your users actually visit, so account-recovery links are always built against your own domain rather than derived from the incoming request. Then tighten which proxies you trust: rather than trusting all of them with APP_TRUSTED_PROXIES=*, restrict the setting to the specific address of your own reverse proxy. The trade-off to weigh: if you genuinely run Monica behind a proxy, CDN, or load balancer, that setting has to be configured to your proxy specifically, not left open, or you lose the protection.
On the patch: We are not aware of a fix at the time of writing. In our assessment, the two configuration steps above are the more complete protection available to operators today, and pinning APP_URL is the single most effective action you can take right now. Review the maintainer advisory if and when it lands to understand exactly what any release does and does not address before assuming you are fully covered.
About NoScope
This is one example of what NoScope finds. NoScope has uncovered dozens of vulnerabilities like this across real production applications.
NoScope is an autonomous pentesting agent that continuously tests applications and surfaces vulnerabilities automatically. It's built to find what an attacker would find, just before they do.
Get in touch: noscope.com/contact, LinkedIn, X
