CVE Catalog

CVE-2026-53519

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.38%

30th percentile — higher than 30% of all known CVEs

Summary

Nezha Monitoring prior to version 2.0.13 has a vulnerability in the NoRoute handler in the dashboard that allows access to admin assets without authentication. By exploiting an incorrect URL prefix check, an attacker can access system files.

Risk Assessment

The lack of authentication for accessing admin resources poses a significant security risk, allowing attackers to access sensitive data and system configurations.

Recommendation

It is recommended to upgrade to version 2.0.13 or later to mitigate this vulnerability and implement additional authorization mechanisms for admin resources.

Original NVD description (English source)

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml — which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS