Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-47124
6.5 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): High (H)
- Integrity (I): None (N)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): High (H)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
References
-
https://github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj x_refsource_CONFIRM
Affected products
nezha
- ==>= 1.4.0, < 2.0.9
Matching in nixpkgs
pkgs.nezha
Self-hosted, lightweight server and website monitoring and O&M tool
pkgs.nezha-agent
Agent of Nezha Monitoring
pkgs.nezha-theme-user
Nezha monitoring user frontend based on next.js
pkgs.nezha-theme-admin
Nezha monitoring admin frontend