๐Ÿ” CVE Alert

CVE-2026-59155

UNKNOWN 0.0

Nezha Monitoring: DDNS and Notification credential exposure via unredacted list API

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
22th

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.

CWE CWE-200
Vendor nezhahq
Product nezha
Published Jul 10, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for nezhahq nezha

Be the first to know when new unknown vulnerabilities affecting nezhahq nezha are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

nezhahq / nezha
< 2.2.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/nezhahq/nezha/security/advisories/GHSA-ww5p-j6cj-6mqq github.com: https://github.com/nezhahq/nezha/commit/39d398066d8c644fe452f74704e34ada6c7ab61e github.com: https://github.com/nezhahq/nezha/releases/tag/v2.2.5