CVE-2026-48119 is a high-severity missing authorization vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15. It is fixed in 1.14.15-0.20260521020202-02129f16fb15, 2.0.12.
Summary Nezha accepts service-monitor TaskResult messages from an authenticated agent based only on whether the reported service ID exists. The dashboard authenticates the agent and derives the reporter server ID from the gRPC stream, but the service-monitor result worker does not verify that the reporter server was selected for that service, belongs to the service owner, or was actually assigned that monitoring task. A low-privilege user with a valid agent secret and one registered agent can therefore submit forged monitoring results for another user's service ID. This allows cross-tenant corruption of service-monitor history/current state, and can influence victim-owned service notifications with attacker-controlled result text. Details The agent task stream accepts inbound TaskResult messages after authenticating agent metadata: service/rpc/auth.go:23-60 validates clientsecret and clientuuid. service/rpc/auth.go:63-75 registers an unknown valid UUID as a server for the authenticated secret owner. service/rpc/nezha.go:40-48 authenticates the RequestTask stream and binds it to clientID. service/rpc/nezha.go:50-56 receives agent-controlled TaskResult messages. proto/nezha.proto:60-65 defines attacker-controlled TaskResult.id, type, delay, data, and successful. For service-monitor task types, the result is dispatched directly to the service sentinel using the authenticated server ID as reporter: service/rpc/nezha.go:85-90 dispatches service-monitor result types to ServiceSentinelShared.Dispatch with Reporter: clientID. model/service.go:131-140 treats non-operational task types as service-monitor result types. The vulnerable authorization gap is in the service-monitor worker: service/singleton/servicesentinel.go:475-483 checks only that r.Data.GetId() resolves to an existing service. It does not check that r.Reporter is covered by that service. It does not check that the service owner owns the reporter server. It does not check that the dashboard actually sent this service-monitor task to that agent. The forged result is then recorded and used for service status processing: service/singleton/servicesentinel.go:487-528 records ping service history keyed by ServiceID and Reporter. service/singleton/servicesentinel.go:543-624 updates today's status, current service state, and state-change handling. service/singleton/servicesentinel.go:723-739 can send victim-owned notifications containing mh.Data, which is attacker-controlled result text. This is inconsistent with outbound service-monitor dispatch, which does enforce service coverage and ownership before sending tasks to agents: cmd/dashboard/rpc/rpc.go:84-109 sends service-monitor tasks only to selected/non-skipped servers according to Service.Cover and SkipServers. cmd/dashboard/rpc/rpc.go:96-107 calls canSendTaskToServer before sending. cmd/dashboard/rpc/rpc.go:182-193 permits outbound dispatch only when the service owner owns the server, or when the service owner is an admin. cmd/dashboard/controller/service.go:478-480 and cmd/dashboard/controller/service.go:590-607 validate selected servers, trigger tasks, and notification groups during service creation/update. The inbound result path should mirror these authorization checks before accepting a result. PoC The following local PoC creates a temporary Go test file in service/singleton, uses an in-memory SQLite database, does not start the dashboard listener, does not contact public systems, and removes the temporary test file on exit. The PoC proves the vulnerable processing path by creating: victim user ID 100; victim service ID 10; victim server ID 1; attacker user ID 200; attacker reporter server ID 2. The victim service is configured with ServiceCoverIgnoreAll and only server 1 enabled. Therefore, the dashboard's outbound service-monitor dispatch logic would not send this task to attacker server 2. The forged inbound result from reporter 2 is nevertheless accepted and creates a ServiceHistory row for victim service 10. Environment tested: Repository: https://github.com/nezhahq/nezha.git Commit: 79c06d0f95ad4e0eedc01a72fc0c54f4666cb0bf OS: Linux Test date: 2026-05-19 From a clean checkout of the tested commit, run: Expected vulnerable output: Observed output in my local test environment: The test passes because a forged result from reporter server 2 creates a service-history row for victim service 10, even though service 10 only covers victim server 1. A fixed version should reject or ignore this forged result. After a fix, the current PoC should fail at the assertion waiting for a ServiceHistory row unless the test is changed to assert that count == 0. Note: this is a local processing-path PoC. It directly exercises the same service sentinel worker that the authenticated gRPC RequestTask path dispatches to. It does not open a network gRPC connection, send real notifications, or execute commands. Impact A low-privilege Nezha user with a valid agent secret can forge service-monitor results for services outside their ownership boundary. Confirmed impact: Cross-tenant service-monitor integrity violation. False service history entries for victim-owned services. Poisoned service availability/current-state data. Likely impact through the same processing path: Victim-owned service notifications can be triggered with attacker-controlled result text. Monitoring reliability can be degraded by false up/down/latency results. This does not require dashboard administrator privileges. The attacker only needs a normal account/agent secret and one registered agent/server.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2026-48119 has a CVSS score of 7.1 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (1.14.15-0.20260521020202-02129f16fb15, 2.0.12). Upgrading removes the vulnerable code path.
go
github.com/nezhahq/nezha (>= 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15)github.com/nezhahq/nezha (>= 2.0.0, < 2.0.12)github.com/nezhahq/nezha → 1.14.15-0.20260521020202-02129f16fb15 (go)github.com/nezhahq/nezha → 2.0.12 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-48119 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-48119 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-48119 in your environment →Upgrade the following packages to resolve this vulnerability:
github.com/nezhahq/nezha to 1.14.15-0.20260521020202-02129f16fb15 or latergithub.com/nezhahq/nezha to 2.0.12 or laterKodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-48119 is a high-severity missing authorization vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15. It is fixed in 1.14.15-0.20260521020202-02129f16fb15, 2.0.12. The application does not perform an authorization check before performing a sensitive operation.
CVE-2026-48119 has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/nezhahq/nezha (go) versions >= 0.20.0, < 1.14.15-0.20260521020202-02129f16fb15 is affected.
Yes. CVE-2026-48119 is fixed in 1.14.15-0.20260521020202-02129f16fb15, 2.0.12. Upgrade to this version or later.
Whether CVE-2026-48119 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
github.com/nezhahq/nezha to 1.14.15-0.20260521020202-02129f16fb15 or latergithub.com/nezhahq/nezha to 2.0.12 or later