Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data. This issue has been patched in version 2.0.14.
Published: 2026-06-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nezha Monitoring versions 2.0.0 through 2.0.13 allow an attacker who can reach the per‑server endpoints to enumerate private services marked with EnableShowInService: false. The result is that names and timing data for services that are intended to remain hidden are exposed, violating confidentiality. The vulnerability is classified under CWE‑200 (Information Exposure), CWE‑285 (Improper Authorization) and CWE‑863 (Missing Function Level Access Control).

Affected Systems

The affected systems are deployments of the nezhahq:nezha product, specifically from version 2.0.0 up to, but not including, version 2.0.14. Any instance running an affected version and exposing the per‑server API endpoints is susceptible. The product is self‑hosted, so attacks can originate from the same network or from the public internet if the endpoints are reachable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% shows a very low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. A likely attack vector is direct HTTP requests to the per‑server API endpoints, which can be accessed by users with network connectivity to the Nezha Monitoring instance. If an attacker can obtain or guess service identifiers, enumeration can be performed to gather service names and latency information. Proper authorization controls would prevent this, but the current implementation lacks them for private services.

Generated by OpenCVE AI on June 12, 2026 at 22:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Nezha Monitoring version 2.0.14 or later, where the enumeration issue is fixed.
  • If upgrading immediately is not possible, limit network access to the per‑server API endpoints using firewall rules or VPN restrictions to prevent unauthenticated enumeration attempts.
  • Disable or remove the EnableShowInService configuration if it is not required, ensuring that private services are not exposed via the API, and review role‑based access controls to restrict who can call these endpoints.

Generated by OpenCVE AI on June 12, 2026 at 22:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vrmh-5mmx-hjwx Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
History

Mon, 15 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sat, 13 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Nezhahq
Nezhahq nezha
Vendors & Products Nezhahq
Nezhahq nezha

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.0 to before version 2.0.14, private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data. This issue has been patched in version 2.0.14.
Title Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
Weaknesses CWE-200
CWE-285
CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-15T17:26:51.033Z

Reserved: 2026-05-29T19:08:01.256Z

Link: CVE-2026-49397

cve-icon Vulnrichment

Updated: 2026-06-15T17:26:38.863Z

cve-icon NVD

Status : Deferred

Published: 2026-06-12T22:16:51.813

Modified: 2026-06-15T20:46:57.713

Link: CVE-2026-49397

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-13T12:30:10Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-285

    Improper Authorization

  • CWE-863

    Incorrect Authorization