Medium severity6.5GHSA Advisory· Published Jun 12, 2026· Updated Jun 15, 2026
CVE-2026-47124
CVE-2026-47124
Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nezhahq/nezhaGo | >= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519 | 1.14.15-0.20260517034128-05e5da253519 |
Affected products
1Patches
Vulnerability mechanics
References
2News mentions
1- Nezha Monitoring: 13 CVEs Disclosed, Including Critical Command Injection and Path BypassVypr Intelligence · Jun 12, 2026