CVE-2026-59155
Received Received - Intake

Nezha Monitoring Credential Exposure in API Responses

Vulnerability report for CVE-2026-59155, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nezha monitoring to 2.2.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Nezha Monitoring versions prior to 2.2.5. The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects that include plaintext third-party API credentials. These credentials include Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, as well as Authorization header values. There is no field-level redaction, meaning sensitive information is exposed in the API responses.

Any authenticated admin or personal access token (PAT) with the nezha:ddns:read or nezha:notification:read scope can retrieve these stored credentials through the listDDNS and listNotification handlers in a single API response.

This issue was fixed in version 2.2.5.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive third-party API credentials and tokens. If an attacker or unauthorized user gains access to an authenticated admin account or a personal access token with the required scopes, they can retrieve these credentials in plaintext.

This exposure can allow attackers to misuse or hijack third-party services integrated with Nezha Monitoring, such as Cloudflare, TencentCloud, Slack, Discord, and Telegram, potentially leading to further compromise of systems, data leakage, or disruption of services.

Compliance Impact

This vulnerability exposes plaintext third-party API credentials, including sensitive tokens and keys, to any authenticated admin or PAT with specific read scopes. Such exposure of sensitive authentication data can lead to unauthorized access and potential data breaches.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the leakage of sensitive credentials could potentially violate data protection requirements under these regulations, which mandate the protection of sensitive information and proper access controls.

Mitigation Strategies

To mitigate this vulnerability, upgrade Nezha Monitoring to version 2.2.5 or later, where the issue is fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59155. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart