CVE-2026-47124
Received Received - Intake
Nezha Monitoring WebSocket Server Unauthorized Access

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-47124
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
nezha_monitoring nezha_monitoring From 1.4.0 (inc) to 2.0.9 (exc)
nezha_monitoring nezha_monitoring 2.0.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows any authenticated non-admin user to access telemetry data for all servers, including those owned by other users, without proper authorization.

This unauthorized access to potentially sensitive monitoring data could lead to violations of data protection regulations such as GDPR or HIPAA, which require strict access controls and protection of personal or sensitive information.

Therefore, organizations using affected versions of Nezha Monitoring may face compliance risks until the issue is patched in version 2.0.9.

Executive Summary

This vulnerability exists in Nezha Monitoring versions from 1.4.0 up to but not including 2.0.9. It allows any authenticated user who is not an admin to connect to the server-status WebSocket and receive telemetry data for all servers, including those owned by other users.

Normally, the server list API filters server data based on user permissions, but the WebSocket stream incorrectly treats any authenticated user as authorized to access the full, unfiltered server list.

This issue was fixed in version 2.0.9.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of telemetry data for all servers monitored by Nezha Monitoring, including those owned by other users.

An authenticated non-admin user could access sensitive operational data that they should not have permission to see, potentially exposing information about server status and performance.

The CVSS score of 6.5 indicates a medium severity impact primarily due to confidentiality loss.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Nezha Monitoring to version 2.0.9 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart