CVE-2026-47124
Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
12 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
nezhahq · nezhaWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →