CVE-2026-47124
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
Nezha Monitoring versions from 1.4.0 to before 2.0.9 allow authenticated non-admin users to access the server-status WebSocket and receive telemetry data for all servers, including those owned by other users.
Risk Assessment
Organizations may be exposed to telemetry data leaks, potentially compromising privacy and information security. Allowing unauthorized access to other users' server data poses a significant threat to system integrity.
Recommendation
It is recommended to upgrade Nezha Monitoring to version 2.0.9 or later to mitigate this vulnerability. Additionally, conducting a user permissions audit within the system is advisable.
Original NVD description (English source)
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

