CVE-2026-47124
Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
CVSS Score
6.5
EPSS Score
0.1%
EPSS Percentile
18th
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
| CWE | CWE-200 |
| Vendor | nezhahq |
| Product | nezha |
| Published | Jun 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for nezhahq nezha
Be the first to know when new medium vulnerabilities affecting nezhahq nezha are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
nezhahq / nezha
>= 1.4.0, < 2.0.9