cbcvebase.

Github.Com Nezhahq Nezha vulnerabilities

13 known vulnerabilities affecting github.com/nezhahq_nezha.

Total CVEs
13
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM8

Vulnerabilities

Page 1 of 1
CVE-2026-46716P2CRITICAL≥ 1.14.13, ≤ 1.14.14≥ 2.0.0, < 2.0.102026-06-26
CVE-2026-46716 [CRITICAL] CWE-639 Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check Nezha vulnerable to cross-tenant terminal/file-manager session hijack via WebSocket stream UUID without ownership check ### Summary In nezha **v1.14.13–v1.14.14** and **v2.0.0–v2.0.9**, the WebSocket endpoints `GET /ws/terminal/:id` and `GET /ws/file/:id` authenticate the caller only by the presence of a valid stream UUID, with no ownership c
ghsa
CVE-2026-53519P2CRITICAL≥ 0, < 2.0.132026-06-26
CVE-2026-53519 [CRITICAL] CWE-22 Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key ### Summary `fallbackToFrontend` in the dashboard's `NoRoute` handler treats any URL whose **raw string** starts with `/dashboard` as an admin-frontend asset request. The check uses `strings.HasPrefix`, not a path-segment match, so the input `/dashboard../data/config.yaml
ghsa
CVE-2026-46717P3HIGH≥ 1.4.0, < 1.14.15-0.20260517022419-d06d539d34c12026-05-23
CVE-2026-46717 [HIGH] CWE-863 Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification ## Summary nezha's dashboard supports two user roles: `RoleAdmin` (Role==0) and `RoleMember` (Role==1). The notification routes `POST /api/v1/notification` and `PATCH /api/v1/notification/:id` are wired through `commonHandler` rather than `adminHandl
ghsa
CVE-2026-47124P3MEDIUM≥ 1.4.0, < 1.14.15-0.20260517034128-05e5da2535192026-05-23
CVE-2026-47124 [MEDIUM] CWE-200 Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members ### Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by `HasPermission`, but the
ghsa
CVE-2026-47268P3MEDIUM≥ 0.20.0, < 2.0.102026-05-29
CVE-2026-47268 [MEDIUM] CWE-918 Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host #### Summary An authenticated Nezha dashboard user can create or update a DDNS profile with provider `webhook` and configure an arbitrary `webhook_url`, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the
ghsa
CVE-2026-48119P3HIGH≥ 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15≥ 2.0.0, < 2.0.122026-06-01
CVE-2026-48119 [HIGH] CWE-862 Nezha's authenticated agents can forge service-monitor results for other users' services Nezha's authenticated agents can forge service-monitor results for other users' services #### Summary Nezha accepts service-monitor `TaskResult` messages from an authenticated agent based only on whether the reported service ID exists. The dashboard authenticates the agent and derives the reporter server ID from the gRPC stream, but the service-monitor result worker does not v
ghsa
CVE-2026-47120P3MEDIUM≥ 1.4.0, < 1.14.15-0.20260517022419-d7526351cf972026-05-23
CVE-2026-47120 [MEDIUM] CWE-862 Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check) ## Summary `createAlertRule` and `createService` (and their `update*` siblings) accept `FailTriggerTasks []uint64` and `RecoverTriggerTasks []uint64` — IDs of cron tasks to fire when the alert/service trips. The validation function only v
ghsa
CVE-2026-53522P3MEDIUM≥ 1.0.0, < 2.2.02026-06-26
CVE-2026-53522 [MEDIUM] CWE-770 Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS ## 1. Description The Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: - `POST /api/v1/terminal` → `createTerminal()` (terminal.go:27-67) - `POST /api/v1/file` → `createFM()` (fm.go:28-67) Both call `rpc.NezhaHandlerSingleton.CreateStream(streamId, ...)` which inserts
ghsa
CVE-2026-53521P3MEDIUM≥ 2.0.14, < 2.1.02026-06-26
CVE-2026-53521 [MEDIUM] CWE-863 Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context ## Summary `PATCH /server/{id}` accepts and persists nonexistent `ddns_profiles` IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update
ghsa
CVE-2026-53523P3MEDIUM≥ 1.0.0, < 2.2.02026-06-26
CVE-2026-53523 [MEDIUM] CWE-601 Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection ## 1. Description The `getRedirectURL` function in `oauth2.go:22-29` constructs the OAuth2 callback URL by concatenating the request's `Host` header with a fixed path, with **zero validation** of the Host header: ```go func getRedirectURL(c *gin.Context) string { scheme := "http://" referer := c.Request.Referer() if forwardedProto := c.Req
ghsa
CVE-2026-53520P3MEDIUM≥ 2.0.14, < 2.1.02026-06-26
CVE-2026-53520 [MEDIUM] CWE-284 Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing ### Summary An authenticated non-admin user who owns any server can create or update a NAT profile whose `domain` is equal to the dashboard's own HTTP Host (for example, `dashboard.example:8008`). The dashboard's top-level HTTP/gRPC multiple
ghsa
CVE-2026-49396P4HIGH≥ 1.0.0, < 2.0.142026-06-10
CVE-2026-49396 [HIGH] CWE-352 Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents ### Summary The dashboard exposes the cron manual-trigger action as an authenticated `GET /api/v1/cron/:id/manual` endpoint. Dashboard JWTs are sent in the `nz-jwt` cookie and configured with `SameSite=Lax`, which browsers include on top-level cross-site GET navigations. Because this
ghsa
CVE-2026-49397P4MEDIUM≥ 2.0.0, < 2.0.142026-06-10
CVE-2026-49397 [MEDIUM] CWE-200 Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data # Private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data **CWE**: CWE-285 (Improper Authorization) via CWE-200 (Exposure of Sensitive Information to an
ghsa
Github.Com Nezhahq Nezha vulnerabilities | cvebase