VYPR
Medium severity6.5GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026

CVE-2026-47124

CVE-2026-47124

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/nezhahq/nezhaGo
>= 1.4.0, < 1.14.15-0.20260517034128-05e5da2535191.14.15-0.20260517034128-05e5da253519

Affected products

1
  • Range: >= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519

Patches

Vulnerability mechanics

References

2

News mentions

1