Vulnerability-Lookup

CVE-2026-47124 (GCVE-0-2026-47124)

Vulnerability from cvelistv5 – Published: 2026-06-12 21:03 – Updated: 2026-06-12 21:03

Title

Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Summary

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/nezhahq/nezha/security/advisor…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
nezhahq	nezha	Affected: >= 1.4.0, < 2.0.9

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "nezha",
          "vendor": "nezhahq",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.4.0, \u003c 2.0.9"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O\u0026M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-12T21:03:08.831Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj"
        }
      ],
      "source": {
        "advisory": "GHSA-hvv7-hfrh-7gxj",
        "discovery": "UNKNOWN"
      },
      "title": "Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-47124",
    "datePublished": "2026-06-12T21:03:08.831Z",
    "dateReserved": "2026-05-18T19:50:18.694Z",
    "dateUpdated": "2026-06-12T21:03:08.831Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-47124",
      "date": "2026-06-14",
      "epss": "0.00031",
      "percentile": "0.09352"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-47124\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-12T22:16:51.250\",\"lastModified\":\"2026-06-12T22:16:51.250\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O\u0026M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-47124

Vulnerability from fkie_nvd - Published: 2026-06-12 22:16 - Updated: 2026-06-12 22:16

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O\u0026M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9."
    }
  ],
  "id": "CVE-2026-47124",
  "lastModified": "2026-06-12T22:16:51.250",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-12T22:16:51.250",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-HVV7-HFRH-7GXJ

Vulnerability from github – Published: 2026-05-23 00:18 – Updated: 2026-05-23 00:18

Summary

Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Details

Summary

Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list.

Details

The server WebSocket route is registered under the optional-auth group in cmd/dashboard/controller/controller.go:71-73:

optionalAuth := api.Group("", optionalAuthMw)
optionalAuth.GET("/ws/server", commonHandler(serverStream))

serverStream treats any CtxKeyAuthorizedUser as a member, without checking admin role or per-server ownership, in cmd/dashboard/controller/ws.go:123-139:

u, isMember := c.Get(model.CtxKeyAuthorizedUser)
var userId uint64
if isMember {
    userId = u.(*model.User).ID
}
...
stat, err := getServerStat(count == 0, isMember)

The authorization boolean is then used as a full/guest switch in getServerStat in cmd/dashboard/controller/ws.go:160-184:

if authorized {
    serverList = singleton.ServerShared.GetSortedList()
} else {
    serverList = singleton.ServerShared.GetSortedListForGuest()
}
...
servers = append(servers, model.StreamServer{
    ID:           server.ID,
    Name:         server.Name,
    PublicNote:   utils.IfOr(withPublicNote, server.PublicNote, ""),
    DisplayIndex: server.DisplayIndex,
    Host:         utils.IfOr(authorized, server.Host, server.Host.Filter()),
    State:        server.State,
    CountryCode:  countryCode,
    LastActive:   server.LastActive,
})

For authenticated members, GetSortedList() returns all servers and server.Host is not filtered. There is no call to server.HasPermission(c).

The streamed response model in model/server_api.go:5-20 includes server ID/name, public note, host details, runtime state, country code, last active time, and global online count. Host and state fields include platform version, agent version, CPU/GPU names, memory/disk/swap totals, architecture, virtualization, boot time, CPU load, memory/disk/swap usage, network transfer/speed, uptime, TCP/UDP/process counts, temperatures, and GPU utilization, as defined in model/host.go:20-38 and model/host.go:100-112.

The normal list endpoint has the expected object-level authorization. GET /api/v1/server is registered with listHandler in cmd/dashboard/controller/controller.go:113, and listHandler filters each returned object with HasPermission in cmd/dashboard/controller/controller.go:263-291:

filtered := filter(c, data)
...
return slices.DeleteFunc(s, func(e E) bool {
    return !e.HasPermission(ctx)
})

The shared permission model in model/common.go:44-56 allows admins to see all objects but restricts members to objects whose UserID matches their user ID:

if user.Role == RoleAdmin {
    return true
}
return user.ID == c.UserID

Mitigations checked:

Guests receive GetSortedListForGuest() and Host.Filter() output, but authenticated members bypass both guest restrictions.
HideForGuest only affects unauthenticated guests, not members.
The normal /api/v1/server list endpoint uses listHandler and is not affected in the same way.
No owner/admin filter is applied in the WebSocket path.

Candidate score: 12/14

Reachability: 2, default WebSocket API
Attacker control: 1, attacker controls authentication state and connection
Privilege required: 1, authenticated member
Sink impact: 2, cross-tenant sensitive telemetry disclosure
Mitigation weakness: 2, no object-level auth in the WebSocket path
Default exposure: 2, endpoint is part of default dashboard
Safe PoC feasibility: 2, can be verified with local users/servers or statically

Exploitability gate: statically confirmed

Reachable source: GET /api/v1/ws/server
Default/common configuration: dashboard API exposed by default
Missing/bypassed mitigation: member-vs-guest check replaces object-level authorization
Impact-bearing sink: WebSocket response includes unfiltered all-server telemetry
Safe proof: static source-to-sink proof; full runtime test blocked locally by unavailable Go 1.26 toolchain
Affected version evidence: confirmed at commit 85b0dd2992733037b019442caffc6c049ba937dd (v2.0.7-1-g85b0dd2)
Variant review: normal server list endpoint and guest filtering were checked

PoC

Static local PoC steps:

Start Nezha with two non-admin users and at least one server assigned to each user.
Authenticate as user A.
Connect to the WebSocket endpoint with user A's token, for example:

GET /api/v1/ws/server HTTP/1.1
Host: 127.0.0.1:8008
Cookie: nz-jwt=<user-a-token>
Upgrade: websocket
Connection: Upgrade

Observe that the JSON messages contain entries for all servers from singleton.ServerShared.GetSortedList(), including servers whose UserID does not match user A.
Compare with GET /api/v1/server using the same token; that route is filtered through listHandler/HasPermission and should only return user A's own servers.

Cleanup: no persistent state is created by the WebSocket connection.

Local dynamic confirmation note: the full project test/runtime could not be executed in this audit environment because the repository requires Go 1.26 and the local toolchain reported go: download go1.26 for linux/amd64: toolchain not available.

Impact

This is an authenticated horizontal information disclosure. A low-privileged member can continuously monitor other users' server inventory and live telemetry, including host platform details, agent versions, CPU/GPU details, resource usage, traffic counters, country code, and last-active timestamps. This may expose infrastructure composition, usage patterns, and operational state across tenants.

Suggested remediation

Apply object-level authorization in getServerStat for authenticated non-admin users. For each server in the stream, include it only if the current user is admin or server.UserID matches the authenticated user. Keep guest filtering and host redaction for unauthenticated users.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nezhahq/nezha"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.4.0"
            },
            {
              "fixed": "1.14.15-0.20260517034128-05e5da253519"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-23T00:18:33Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAny authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by `HasPermission`, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list.\n\n### Details\n\nThe server WebSocket route is registered under the optional-auth group in `cmd/dashboard/controller/controller.go:71-73`:\n\n```go\noptionalAuth := api.Group(\"\", optionalAuthMw)\noptionalAuth.GET(\"/ws/server\", commonHandler(serverStream))\n```\n\n`serverStream` treats any `CtxKeyAuthorizedUser` as a member, without checking admin role or per-server ownership, in `cmd/dashboard/controller/ws.go:123-139`:\n\n```go\nu, isMember := c.Get(model.CtxKeyAuthorizedUser)\nvar userId uint64\nif isMember {\n    userId = u.(*model.User).ID\n}\n...\nstat, err := getServerStat(count == 0, isMember)\n```\n\nThe authorization boolean is then used as a full/guest switch in `getServerStat` in `cmd/dashboard/controller/ws.go:160-184`:\n\n```go\nif authorized {\n    serverList = singleton.ServerShared.GetSortedList()\n} else {\n    serverList = singleton.ServerShared.GetSortedListForGuest()\n}\n...\nservers = append(servers, model.StreamServer{\n    ID:           server.ID,\n    Name:         server.Name,\n    PublicNote:   utils.IfOr(withPublicNote, server.PublicNote, \"\"),\n    DisplayIndex: server.DisplayIndex,\n    Host:         utils.IfOr(authorized, server.Host, server.Host.Filter()),\n    State:        server.State,\n    CountryCode:  countryCode,\n    LastActive:   server.LastActive,\n})\n```\n\nFor authenticated members, `GetSortedList()` returns all servers and `server.Host` is not filtered. There is no call to `server.HasPermission(c)`.\n\nThe streamed response model in `model/server_api.go:5-20` includes server ID/name, public note, host details, runtime state, country code, last active time, and global online count. Host and state fields include platform version, agent version, CPU/GPU names, memory/disk/swap totals, architecture, virtualization, boot time, CPU load, memory/disk/swap usage, network transfer/speed, uptime, TCP/UDP/process counts, temperatures, and GPU utilization, as defined in `model/host.go:20-38` and `model/host.go:100-112`.\n\nThe normal list endpoint has the expected object-level authorization. `GET /api/v1/server` is registered with `listHandler` in `cmd/dashboard/controller/controller.go:113`, and `listHandler` filters each returned object with `HasPermission` in `cmd/dashboard/controller/controller.go:263-291`:\n\n```go\nfiltered := filter(c, data)\n...\nreturn slices.DeleteFunc(s, func(e E) bool {\n    return !e.HasPermission(ctx)\n})\n```\n\nThe shared permission model in `model/common.go:44-56` allows admins to see all objects but restricts members to objects whose `UserID` matches their user ID:\n\n```go\nif user.Role == RoleAdmin {\n    return true\n}\nreturn user.ID == c.UserID\n```\n\nMitigations checked:\n\n- Guests receive `GetSortedListForGuest()` and `Host.Filter()` output, but authenticated members bypass both guest restrictions.\n- `HideForGuest` only affects unauthenticated guests, not members.\n- The normal `/api/v1/server` list endpoint uses `listHandler` and is not affected in the same way.\n- No owner/admin filter is applied in the WebSocket path.\n\nCandidate score: 12/14\n\n- Reachability: 2, default WebSocket API\n- Attacker control: 1, attacker controls authentication state and connection\n- Privilege required: 1, authenticated member\n- Sink impact: 2, cross-tenant sensitive telemetry disclosure\n- Mitigation weakness: 2, no object-level auth in the WebSocket path\n- Default exposure: 2, endpoint is part of default dashboard\n- Safe PoC feasibility: 2, can be verified with local users/servers or statically\n\nExploitability gate: statically confirmed\n\n- Reachable source: `GET /api/v1/ws/server`\n- Default/common configuration: dashboard API exposed by default\n- Missing/bypassed mitigation: member-vs-guest check replaces object-level authorization\n- Impact-bearing sink: WebSocket response includes unfiltered all-server telemetry\n- Safe proof: static source-to-sink proof; full runtime test blocked locally by unavailable Go 1.26 toolchain\n- Affected version evidence: confirmed at commit `85b0dd2992733037b019442caffc6c049ba937dd` (`v2.0.7-1-g85b0dd2`)\n- Variant review: normal server list endpoint and guest filtering were checked\n\n### PoC\n\nStatic local PoC steps:\n\n1. Start Nezha with two non-admin users and at least one server assigned to each user.\n2. Authenticate as user A.\n3. Connect to the WebSocket endpoint with user A\u0027s token, for example:\n\n```http\nGET /api/v1/ws/server HTTP/1.1\nHost: 127.0.0.1:8008\nCookie: nz-jwt=\u003cuser-a-token\u003e\nUpgrade: websocket\nConnection: Upgrade\n```\n\n4. Observe that the JSON messages contain entries for all servers from `singleton.ServerShared.GetSortedList()`, including servers whose `UserID` does not match user A.\n5. Compare with `GET /api/v1/server` using the same token; that route is filtered through `listHandler`/`HasPermission` and should only return user A\u0027s own servers.\n\nCleanup: no persistent state is created by the WebSocket connection.\n\nLocal dynamic confirmation note: the full project test/runtime could not be executed in this audit environment because the repository requires Go 1.26 and the local toolchain reported `go: download go1.26 for linux/amd64: toolchain not available`.\n\n### Impact\n\nThis is an authenticated horizontal information disclosure. A low-privileged member can continuously monitor other users\u0027 server inventory and live telemetry, including host platform details, agent versions, CPU/GPU details, resource usage, traffic counters, country code, and last-active timestamps. This may expose infrastructure composition, usage patterns, and operational state across tenants.\n\n## Suggested remediation\n\nApply object-level authorization in `getServerStat` for authenticated non-admin users. For each server in the stream, include it only if the current user is admin or `server.UserID` matches the authenticated user. Keep guest filtering and host redaction for unauthenticated users.",
  "id": "GHSA-hvv7-hfrh-7gxj",
  "modified": "2026-05-23T00:18:34Z",
  "published": "2026-05-23T00:18:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nezhahq/nezha"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-47124 (GCVE-0-2026-47124)

FKIE_CVE-2026-47124

GHSA-HVV7-HFRH-7GXJ

Summary

Details

PoC

Impact

Suggested remediation

Tags

Sightings

Nomenclature