← volver
CVE-2026-53521

Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context

CVSS 6.4 MEDIUMEPSS 0.2%CWE-863
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.4EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
12 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_profiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user's DDNS profile configuration in the context of the attacker's server. This issue has been patched in version 2.1.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Productos afectados
nezhahq · nezha

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →