PT-2026-42872 · Unknown · Nezha Monitoring
Published
2026-05-23
·
Updated
2026-06-25
·
CVE-2026-47124
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nezha Monitoring versions 1.4.0 through 2.0.8
Description
Authenticated non-admin members can connect to the server-status WebSocket endpoint '/api/v1/ws/server' and receive telemetry for all servers, including those owned by other users. While the standard server list API filters objects using the
HasPermission function, the WebSocket stream incorrectly treats any authenticated user as authorized to access the full, unfiltered server list. This results in the disclosure of sensitive telemetry, including host platform details, agent versions, CPU/GPU specifications, resource usage, network traffic, and operational states across different tenants.Recommendations
Update to version 2.0.9.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nezha Monitoring