PT-2026-42872 · Unknown · Nezha Monitoring

Published

2026-05-23

·

Updated

2026-06-25

·

CVE-2026-47124

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.8
Description Authenticated non-admin members can connect to the server-status WebSocket endpoint '/api/v1/ws/server' and receive telemetry for all servers, including those owned by other users. While the standard server list API filters objects using the HasPermission function, the WebSocket stream incorrectly treats any authenticated user as authorized to access the full, unfiltered server list. This results in the disclosure of sensitive telemetry, including host platform details, agent versions, CPU/GPU specifications, resource usage, network traffic, and operational states across different tenants.
Recommendations Update to version 2.0.9.

Exploit

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47124
GHSA-HVV7-HFRH-7GXJ
GO-2026-5439

Affected Products

Nezha Monitoring