CVE Catalog

CVE-2026-47124

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile — higher than 29% of all known CVEs

Summary

Nezha Monitoring versions from 1.4.0 to before 2.0.9 allow authenticated non-admin users to access the server-status WebSocket and receive telemetry data for all servers, including those owned by other users.

Risk Assessment

Organizations may be exposed to telemetry data leaks, potentially compromising privacy and information security. Allowing unauthorized access to other users' server data poses a significant threat to system integrity.

Recommendation

It is recommended to upgrade Nezha Monitoring to version 2.0.9 or later to mitigate this vulnerability. Additionally, conducting a user permissions audit within the system is advisable.

Original NVD description (English source)

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS