Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

Basic Information

ID CVE-2026-47124

Source GitHub_M

Published Jun 12, 2026 at 21:03

Affected Product

Vendor nezhahq

Product nezha

Version >= 1.4.0, < 2.0.9

Affected Versions nezhahq nezha >= 1.4.0, < 2.0.9

CWE Classification

CWE-200

References

github.com /nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj

{
    "lastseen": "",
    "description": "Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.",
    "published": "2026-06-12T21:03:08.831Z",
    "modified": "2026-06-12T21:03:08.831Z",
    "type": "cve",
    "title": "Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members",
    "source": "GitHub_M",
    "references": "https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj",
    "id": "CVE-2026-47124",
    "bulletinFamily": "",
    "cwe": [
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "nezhahq nezha >= 1.4.0, < 2.0.9",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nezha",
    "version": ">= 1.4.0, < 2.0.9",
    "vendor": "nezhahq",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members_CVE-2026-47124