CVE-2026-47124 MEDIUM

CVE-2026-47124: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

Vendor Nezhahq
Product nezha
Weakness CWE-200 · Info exposure
Published June 12, 2026
Last update June 15, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.9, any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. This issue has been patched in version 2.0.9.

Key dates

02Disclosure timeline

June 12, 2026 CVE published
June 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-50298 Apache Solr: Solr can expose ZooKeeper credentials via Streaming Expressions CVE-2024-27090 Decidim vulnerable to data disclosure through the embed feature CVE-2025-12149 Unauthorized access to documents protected by Document-Level Security (DLS), when Signals watches include a search query involving protected documents CVE-2026-6000 code-projects Online Library Management System SQL Database Backup File library.sql information disclosure CVE-2025-9196 Trinity Audio <= 5.21.0 - Unauthenticated Information Exposure