diff --git a/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
new file mode 100644
index 0000000000..5aa2fde328
--- /dev/null
+++ b/meta-webserver/recipes-webadmin/netdata/netdata/CVE-2023-22497.patch
@@ -0,0 +1,120 @@
+From 1aa77696d0853ab515eddea8ee7a7d16d3813571 Mon Sep 17 00:00:00 2001
+From: Costa Tsaousis <costa@netdata.cloud>
+Date: Tue, 29 Nov 2022 17:28:17 +0200
+Subject: [PATCH] Strict control of streaming API keys and MACHINE GUIDs in
+ stream.conf (#14063)
+
+do not allow machine guids to be used as API keys
+
+CVE: CVE-2023-22497
+Upstream-Status: Backport [https://github.com/netdata/netdata/commit/811028aea2f146cc0ac2bc403f7d692add400d63]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ streaming/rrdpush.c   | 30 ++++++++++++++++++++++++------
+ streaming/stream.conf | 10 ++++++++++
+ 2 files changed, 34 insertions(+), 6 deletions(-)
+
+diff --git a/streaming/rrdpush.c b/streaming/rrdpush.c
+index 8829d1e..0a0d9fc 100644
+--- a/streaming/rrdpush.c
++++ b/streaming/rrdpush.c
+@@ -594,21 +594,30 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+ 
+     if(regenerate_guid(key, buf) == -1) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - INVALID KEY");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - INVALID KEY");
+         error("STREAM [receive from [%s]:%s]: API key '%s' is not valid GUID (use the command uuidgen to generate one). Forbidding access.", w->client_ip, w->client_port, key);
+         return rrdpush_receiver_permission_denied(w);
+     }
+ 
+     if(regenerate_guid(machine_guid, buf) == -1) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - INVALID MACHINE GUID");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - INVALID MACHINE GUID");
+         error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not GUID. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+         return rrdpush_receiver_permission_denied(w);
+     }
+ 
++    const char *api_key_type = appconfig_get(&stream_config, key, "type", "api");
++    if(!api_key_type || !*api_key_type) api_key_type = "unknown";
++    if(strcmp(api_key_type, "api") != 0) {
++        rrdhost_system_info_free(system_info);
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - API KEY GIVEN IS NOT API KEY");
++        error("STREAM [receive from [%s]:%s]: API key '%s' is a %s GUID. Forbidding access.", w->client_ip, w->client_port, key, api_key_type);
++        return rrdpush_receiver_permission_denied(w);
++    }
++
+     if(!appconfig_get_boolean(&stream_config, key, "enabled", 0)) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - KEY NOT ENABLED");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - KEY NOT ENABLED");
+         error("STREAM [receive from [%s]:%s]: API key '%s' is not allowed. Forbidding access.", w->client_ip, w->client_port, key);
+         return rrdpush_receiver_permission_denied(w);
+     }
+@@ -619,7 +628,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+             if(!simple_pattern_matches(key_allow_from, w->client_ip)) {
+                 simple_pattern_free(key_allow_from);
+                 rrdhost_system_info_free(system_info);
+-                log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname) ? hostname : "-", "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP");
++                log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - KEY NOT ALLOWED FROM THIS IP");
+                 error("STREAM [receive from [%s]:%s]: API key '%s' is not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, key);
+                 return rrdpush_receiver_permission_denied(w);
+             }
+@@ -627,9 +636,18 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+         }
+     }
+ 
++    const char *machine_guid_type = appconfig_get(&stream_config, machine_guid, "type", "machine");
++    if(!machine_guid_type || !*machine_guid_type) machine_guid_type = "unknown";
++    if(strcmp(machine_guid_type, "machine") != 0) {
++        rrdhost_system_info_free(system_info);
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID GIVEN IS NOT A MACHINE GUID");
++        error("STREAM [receive from [%s]:%s]: machine GUID '%s' is a %s GUID. Forbidding access.", w->client_ip, w->client_port, machine_guid, machine_guid_type);
++        return rrdpush_receiver_permission_denied(w);
++    }
++
+     if(!appconfig_get_boolean(&stream_config, machine_guid, "enabled", 1)) {
+         rrdhost_system_info_free(system_info);
+-        log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname)?hostname:"-", "ACCESS DENIED - MACHINE GUID NOT ENABLED");
++        log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ENABLED");
+         error("STREAM [receive from [%s]:%s]: machine GUID '%s' is not allowed. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+         return rrdpush_receiver_permission_denied(w);
+     }
+@@ -640,7 +658,7 @@ int rrdpush_receiver_thread_spawn(struct web_client *w, char *url) {
+             if(!simple_pattern_matches(machine_allow_from, w->client_ip)) {
+                 simple_pattern_free(machine_allow_from);
+                 rrdhost_system_info_free(system_info);
+-                log_stream_connection(w->client_ip, w->client_port, (key && *key)?key:"-", (machine_guid && *machine_guid)?machine_guid:"-", (hostname && *hostname) ? hostname : "-", "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS IP");
++                log_stream_connection(w->client_ip, w->client_port, key, machine_guid, hostname, "ACCESS DENIED - MACHINE GUID NOT ALLOWED FROM THIS IP");
+                 error("STREAM [receive from [%s]:%s]: Machine GUID '%s' is not permitted from this IP. Forbidding access.", w->client_ip, w->client_port, machine_guid);
+                 return rrdpush_receiver_permission_denied(w);
+             }
+diff --git a/streaming/stream.conf b/streaming/stream.conf
+index e65e76f..7229ade 100644
+--- a/streaming/stream.conf
++++ b/streaming/stream.conf
+@@ -115,6 +115,11 @@
+ [API_KEY]
+     # Default settings for this API key
+ 
++    # This GUID is to be used as an API key from remote agents connecting
++    # to this machine. Failure to match such a key, denies access.
++    # YOU MUST SET THIS FIELD ON ALL API KEYS.
++    type = api
++
+     # You can disable the API key, by setting this to: no
+     # The default (for unknown API keys) is: no
+     enabled = no
+@@ -184,6 +189,11 @@
+ # you can give settings for each sending host here.
+ 
+ [MACHINE_GUID]
++    # This GUID is to be used as a MACHINE GUID from remote agents connecting
++    # to this machine, not an API key.
++    # YOU MUST SET THIS FIELD ON ALL MACHINE GUIDs.
++    type = machine
++
+     # enable this host: yes | no
+     # When disabled, the parent will not receive metrics for this host.
+     # THIS IS NOT A SECURITY MECHANISM - AN ATTACKER CAN SET ANY OTHER GUID.
diff --git a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
index 516fde6281..4d57b84b07 100644
--- a/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
+++ b/meta-webserver/recipes-webadmin/netdata/netdata_1.34.1.bb
@@ -7,7 +7,9 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=fc9b848046ef54b5eaee6071947abd24"
 
 DEPENDS += "libuv util-linux zlib"
 
-SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz"
+SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/v${PV}/${BPN}-v${PV}.tar.gz \
+           file://CVE-2023-22497.patch \
+           "
 SRC_URI[sha256sum] = "8ea0786df0e952209c14efeb02e25339a0769aa3edc029e12816b8ead24a82d7"
 
 # default netdata.conf for netdata configuration