CVE-2026-47124 is a medium-severity security vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519. It is fixed in 1.14.15-0.20260517034128-05e5da253519.
Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. Details The server WebSocket route is registered under the optional-auth group in cmd/dashboard/controller/controller.go:71-73: serverStream treats any CtxKeyAuthorizedUser as a member, without checking admin role or per-server ownership, in cmd/dashboard/controller/ws.go:123-139: The authorization boolean is then used as a full/guest switch in getServerStat in cmd/dashboard/controller/ws.go:160-184: For authenticated members, GetSortedList() returns all servers and server.Host is not filtered. There is no call to server.HasPermission(c). The streamed response model in model/server_api.go:5-20 includes server ID/name, public note, host details, runtime state, country code, last active time, and global online count. Host and state fields include platform version, agent version, CPU/GPU names, memory/disk/swap totals, architecture, virtualization, boot time, CPU load, memory/disk/swap usage, network transfer/speed, uptime, TCP/UDP/process counts, temperatures, and GPU utilization, as defined in model/host.go:20-38 and model/host.go:100-112. The normal list endpoint has the expected object-level authorization. GET /api/v1/server is registered with listHandler in cmd/dashboard/controller/controller.go:113, and listHandler filters each returned object with HasPermission in cmd/dashboard/controller/controller.go:263-291: The shared permission model in model/common.go:44-56 allows admins to see all objects but restricts members to objects whose UserID matches their user ID: Mitigations checked: Guests receive GetSortedListForGuest() and Host.Filter() output, but authenticated members bypass both guest restrictions. HideForGuest only affects unauthenticated guests, not members. The normal /api/v1/server list endpoint uses listHandler and is not affected in the same way. No owner/admin filter is applied in the WebSocket path. Candidate score: 12/14 Reachability: 2, default WebSocket API Attacker control: 1, attacker controls authentication state and connection Privilege required: 1, authenticated member Sink impact: 2, cross-tenant sensitive telemetry disclosure Mitigation weakness: 2, no object-level auth in the WebSocket path Default exposure: 2, endpoint is part of default dashboard Safe PoC feasibility: 2, can be verified with local users/servers or statically Exploitability gate: statically confirmed Reachable source: GET /api/v1/ws/server Default/common configuration: dashboard API exposed by default Missing/bypassed mitigation: member-vs-guest check replaces object-level authorization Impact-bearing sink: WebSocket response includes unfiltered all-server telemetry Safe proof: static source-to-sink proof; full runtime test blocked locally by unavailable Go 1.26 toolchain Affected version evidence: confirmed at commit 85b0dd2992733037b019442caffc6c049ba937dd (v2.0.7-1-g85b0dd2) Variant review: normal server list endpoint and guest filtering were checked PoC Static local PoC steps: Start Nezha with two non-admin users and at least one server assigned to each user. Authenticate as user A. Connect to the WebSocket endpoint with user A's token, for example: Observe that the JSON messages contain entries for all servers from singleton.ServerShared.GetSortedList(), including servers whose UserID does not match user A. Compare with GET /api/v1/server using the same token; that route is filtered through listHandler/HasPermission and should only return user A's own servers. Cleanup: no persistent state is created by the WebSocket connection. Local dynamic confirmation note: the full project test/runtime could not be executed in this audit environment because the repository requires Go 1.26 and the local toolchain reported go: download go1.26 for linux/amd64: toolchain not available. Impact This is an authenticated horizontal information disclosure. A low-privileged member can continuously monitor other users' server inventory and live telemetry, including host platform details, agent versions, CPU/GPU details, resource usage, traffic counters, country code, and last-active timestamps. This may expose infrastructure composition, usage patterns, and operational state across tenants. Suggested remediation Apply object-level authorization in getServerStat for authenticated non-admin users. For each server in the stream, include it only if the current user is admin or server.UserID matches the authenticated user. Keep guest filtering and host redaction for unauthenticated users.
CVE-2026-47124 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.14.15-0.20260517034128-05e5da253519). Upgrading removes the vulnerable code path.
go
github.com/nezhahq/nezha (>= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519)github.com/nezhahq/nezha → 1.14.15-0.20260517034128-05e5da253519 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-47124 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-47124 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-47124 in your environment →Upgrade github.com/nezhahq/nezha to 1.14.15-0.20260517034128-05e5da253519 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-47124 is a medium-severity security vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519. It is fixed in 1.14.15-0.20260517034128-05e5da253519.
CVE-2026-47124 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/nezhahq/nezha (go) versions >= 1.4.0, < 1.14.15-0.20260517034128-05e5da253519 is affected.
Yes. CVE-2026-47124 is fixed in 1.14.15-0.20260517034128-05e5da253519. Upgrade to this version or later.
Whether CVE-2026-47124 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/nezhahq/nezha to 1.14.15-0.20260517034128-05e5da253519 or later.