Critical severity9.1NVD Advisory· Published Jun 12, 2026

CVE-2026-53519

Description

Pre-authentication path traversal in Nezha Monitoring before 2.0.13 lets attackers read the JWT secret from config.yaml, enabling full admin account takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Pre-authentication path traversal in Nezha Monitoring before 2.0.13 lets attackers read the JWT secret from config.yaml, enabling full admin account takeover.

Vulnerability

In Nezha Monitoring versions prior to 2.0.13, the fallbackToFrontend handler in the dashboard's NoRoute catch-all improperly validates URL paths. The check uses strings.HasPrefix(c.Request.URL.Path, "/dashboard") without enforcing path-segment boundaries, allowing inputs like /dashboard../data/config.yaml to pass. The strings.TrimPrefix removes /dashboard, leaving ../data/config.yaml, which after path.Join with the admin-dist directory resolves to data/config.yaml. This file is then served via http.ServeFile without authentication. [1]

Exploitation

An unauthenticated attacker with network access to the Nezha dashboard can send a crafted GET request to /dashboard../data/config.yaml (or similar traversal sequences). The request reaches the NoRoute handler, which executes the flawed path logic and serves the contents of data/config.yaml. No user interaction or prior authentication is required. [1]

Impact

The exposed data/config.yaml file contains the HS256 jwt_secret_key used to sign dashboard session cookies (as defined in cmd/dashboard/controller/jwt.go). With this secret, an attacker can forge valid admin JWT tokens, impersonate any user, and gain full administrative control over the monitoring dashboard — a complete compromise of confidentiality, integrity, and availability. [1]

Mitigation

The vulnerability is fixed in Nezha Monitoring version 2.0.13. Users should upgrade immediately to this or a later version. No workarounds are documented; the fix updates the path-checking logic to properly validate URL segments. [1]

References

Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Nezhahq/Nezhallm-fuzzy
Range: <2.0.13

Patches

1e0f479bb5bd

chore(frontend-templates): bump admin-frontend to v2.0.8

https://github.com/nezhahq/nezhanaibaMay 25, 2026Fixed in 2.0.13via release-tag

commit

1 file changed · +1 −1

service/singleton/frontend-templates.yaml+1 −1 modified

@@ -2,7 +2,7 @@
   name: "OfficialAdmin"
   repository: "https://github.com/nezhahq/admin-frontend"
   author: "nezhahq"
-  version: "v2.0.7"
+  version: "v2.0.8"
   is_admin: true
   is_official: true
 - path: "user-dist"

Vulnerability mechanics

Root cause

"Missing path-segment boundary check in the prefix filter allows directory traversal via a crafted URL where the traversal sequence is embedded inside the dashboard segment."

Attack vector

An unauthenticated attacker sends a crafted GET request to the dashboard's catch‑all NoRoute handler with a URL such as `/dashboard../data/config.yaml`. The raw string starts with `/dashboard`, satisfying the `strings.HasPrefix` check, but the trailing `..` does not form a standalone `.` segment, so Go's stdlib traversal guard is bypassed. After `strings.TrimPrefix` strips `/dashboard`, the remaining `../data/config.yaml` is joined with the `admin-dist` root by `path.Join`, which silently cleans the path to `data/config.yaml`. `http.ServeFile` then serves the file with no authentication required. An attacker can read the JWT secret key and the SQLite database, then forge an admin session token for full dashboard takeover [ref_id=1].

Affected code

The vulnerable code is in `cmd/dashboard/controller/controller.go` at the `fallbackToFrontend` handler. The prefix check on line 388 uses `strings.HasPrefix(c.Request.URL.Path, "/dashboard")` without requiring a path-segment boundary, and `path.Join` on line 390 normalizes the stripped path, allowing directory traversal outside the `admin-dist` directory. The patch in `patch_id=5752443` merely bumps the admin-frontend version, which does not fix the root cause — the advisory suggests a segment-aware fix that has not yet been applied upstream.

What the fix does

The referenced patch [patch_id=5752443] only updates the admin-frontend version from v2.0.7 to v2.0.8 in a YAML configuration file — it does not modify any Go source code and therefore does not close the path traversal. The advisory [ref_id=1] recommends a segment-aware fix: require a trailing slash (`/dashboard/`) and reject paths whose cleaned form still contains `..` components. Until that fix is applied, any attacker can trigger the bypass against an unpatched deployment.

Preconditions

networkAttacker must be able to send HTTP requests to the dashboard's NoRoute handler (the catch‑all route).
configThe target must be running Nezha dashboard before version 2.0.13 (unpatched code path).
authNo authentication or prior knowledge is required; the vulnerability is reachable pre‑auth.
inputThe payload is a single GET request with a crafted URL path such as /dashboard../data/config.yaml.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/nezhahq/nezha/security/advisories/GHSA-5c25-7vpj-9mqhnvd

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000