CVE-2026-53519
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk30th percentile — higher than 30% of all known CVEs
Summary
Nezha Monitoring prior to version 2.0.13 has a vulnerability in the NoRoute handler in the dashboard that allows access to admin assets without authentication. By exploiting an incorrect URL prefix check, an attacker can access system files.
Risk Assessment
The lack of authentication for accessing admin resources poses a significant security risk, allowing attackers to access sensitive data and system configurations.
Recommendation
It is recommended to upgrade to version 2.0.13 or later to mitigate this vulnerability and implement additional authorization mechanisms for admin resources.
Original NVD description (English source)
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml — which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13.

