Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
Published: 2026-06-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability lies in the server-status WebSocket endpoint. Authenticated users who are not administrators can connect and receive telemetry for every server in the deployment, regardless of ownership. This unintended data access breaches confidentiality, allowing cross‑tenant leakage of operational metrics. The weakness is classified as CWE‑200 (information exposure).

Affected Systems

Nezha Monitoring from vendor nezhahq is affected by this flaw. Any deployment running a version from 1.4.0 up to, but not including, 2.0.9 is vulnerable; the patch is included in version 2.0.9 and later.

Risk and Exploitability

The CVSS score of 6.5 places the vulnerability in the moderate severity range. The EPSS score of <1% indicates a very low likelihood of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that an attacker exist an authenticated non‑admin account, making the attack path straightforward. The attack would result solely in data disclosure, with no impact on availability or integrity beyond the breach of telemetry visibility.

Generated by OpenCVE AI on June 12, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nezha Monitoring to version 2.0.9 or later to apply the vendor fix.
  • Configure access controls or firewall rules to restrict the server-status WebSocket endpoint so that only administrator accounts can connect.
  • Monitor WebSocket usage for unexpected telemetry requests from non‑admin users to ensure the issue remains remediated.

Generated by OpenCVE AI on June 12, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hvv7-hfrh-7gxj Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
Title Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T21:03:08.831Z

Reserved: 2026-05-18T19:50:18.694Z

Link: CVE-2026-47124

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:51.250

Modified: 2026-06-12T22:16:51.250

Link: CVE-2026-47124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor