Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml — which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13.
Published: 2026-06-12
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A pre‑authentication path traversal flaw exists in Nezha Monitoring. By crafting a URL that starts with "/dashboard" followed by two dots and a directory traversal payload, an unauthenticated user can cause the server to serve the file "/data/config.yaml". The configuration file contains the jwt_secret_key, exposing sensitive secrets to the attacker.

Affected Systems

Nezha Monitoring deployments of nezhahq:nezha earlier than version 2.0.13 are vulnerable. Any installed instance using the default asset routing without authentication can be impacted.

Risk and Exploitability

The vulnerability has a CVSS score of 9.1, indicating a high level of severity. The EPSS score is not available, but the attack requires only network access to the monitoring web interface, making it trivial for any remote actor to exploit. It is not listed in the CISA KEV catalog and no public exploits have been reported, yet the lack of authentication and the path traversal logic make it a prime target for attackers seeking to steal configuration secrets.

Generated by OpenCVE AI on June 12, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Nezha Monitoring to version 2.0.13 or later, where the routing logic has been fixed.
  • If an immediate update is not possible, modify the web server configuration to block or require authentication for any path beginning with "/dashboard.." or otherwise disable the fallbackToFrontend handler for unauthenticated users.
  • Implement network segmentation or firewall rules to restrict external traffic to the Nezha Monitoring web interface to a trusted network segment or VPN.

Generated by OpenCVE AI on June 12, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml — which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13.
Title Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T21:03:48.844Z

Reserved: 2026-06-09T17:30:33.456Z

Link: CVE-2026-53519

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:51.953

Modified: 2026-06-12T22:16:51.953

Link: CVE-2026-53519

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')