CVE-2026-53521 is a medium-severity incorrect authorization vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 2.0.14, < 2.1.0. It is fixed in 2.1.0.
Summary PATCH /server/{id} accepts and persists nonexistent ddnsprofiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user's DDNS profile configuration in the context of the attacker's server. This is a second-order authorization bypass: direct binding to an existing foreign DDNS profile is correctly denied, but an unresolved future ID can be stored first and later becomes a live cross-user reference. Affected versions Confirmed on: Nezha v2.0.14 Commit: 8b5e382fe217107c7b777ea9c6b4bc3d2e156202 The exact affected version range was not determined. Impact A normal member who owns a server can prebind one or more future DDNS profile IDs to that server. If another user later creates a DDNS profile with a matching ID, the dashboard DDNS worker can use the victim's DDNS profile/provider configuration for the attacker's server. In the validated worker path, the dispatched DDNS update combines: the victim DDNS profile ID and owner the victim profile's provider type victim profile fields such as domains, access ID, access secret, and retry policy attacker server context, including the attacker's server ID, owner, IPv4 address, and override DDNS domains This can result in unauthorized DDNS update attempts using another user's DDNS profile context. The attacker does not need permission to bind the victim profile after it exists. The following were not validated: credential disclosure, account takeover, or guaranteed external DNS modification across all providers. The credentials remain server-side in the worker path. The downstream DNS impact depends on the victim profile's provider configuration and what that provider account is authorized to update. Affected components PATCH /server/{id} cmd/dashboard/controller/server.go service/singleton/singleton.go service/singleton/ddns.go service/singleton/server.go pkg/ddns/ddns.go Root cause The server update path validates submitted DDNS profile IDs through CheckPermission, but that check only rejects existing objects owned by another user. Nonexistent IDs are skipped. The updateServer path then persists the submitted raw IDs into DDNSProfilesRaw, along with override domain data. Later, the DDNS worker resolves the stored profile IDs by ID and dispatches provider updates without revalidating that the resolved profiles belong to the server owner. As a result, an invalid unresolved reference can become a valid cross-user reference after another user creates a DDNS profile with the same global auto-increment ID. Reproduction summary The behavior was validated locally with focused regression tests. Controller chain proof Test file: cmd/dashboard/controller/ddnssecondordertest.go Test name: TestUpdateServerAllowsFutureDDNSProfileBindingThenResolvesVictimProfile Command: Result: pass The test demonstrates: A normal member owns server 1. DDNS profile ID 1 does not exist. The member updates their server with enableddns=true and ddnsprofiles=[1]. The request succeeds. The server persists DDNSProfiles=[1]. Another user later creates a DDNS profile and receives ID 1. A fresh attempt by the attacker to bind profile 1 is correctly denied. The previously stored reference remains active and resolves in the DDNS worker path. Provider-level worker proof Test file: service/singleton/ddnsworkerauthztest.go Test name: TestUpdateDDNSDispatchesVictimProfileForAttackerServer Command: Result: pass The test proves that the DDNS worker does not merely resolve the victim profile. It dispatches a DDNS update using the victim profile configuration and attacker server context. Validated assertions include: resolved profile ID is 1 resolved profile owner is victim user 200 processed server is attacker server 1 owned by user 100 provider type is the victim profile's provider victim profile fields are present in worker dispatch: domains access ID access secret max retries attacker server context is present in the same dispatch: IPv4 198.51.100.44 attacker-controlled override domains are passed to the worker: attacker-controlled.example Practicality The attack requires predicting or prebinding future DDNS profile IDs. This limits severity, but does not remove the authorization issue. Evidence supporting practicality: DDNS profile IDs are uint64 GORM primary keys from model/common.go. createDDNS uses a normal DB.Create(&p) flow and returns p.ID. DDNSProfiles is an unbounded []uint64 in model/serverapi.go. No length or existence validation is applied in updateServer. Invalid/future IDs are preserved in the server record. Stored unresolved IDs survive reload. Range prebinding was validated with [1,2,3,4]. The DDNS worker consumes stored IDs on future DDNS update events. Worker dispatch can occur after server edit and agent IP-change events. Each DDNS update can retry according to the victim profile's MaxRetries. This makes the issue semi-practical: exploitation depends on future ID prediction or range prebinding, but the unresolved IDs persist and can become active later. Expected behavior PATCH /server/{id} should reject any submitted DDNS profile ID that does not both: exist, and belong to the caller or the owner of the server being updated. The DDNS worker should also avoid trusting stored profile IDs without revalidating ownership before provider resolution or dispatch. Actual behavior PATCH /server/{id} accepts nonexistent DDNS profile IDs and persists them. If another user later creates a DDNS profile with a matching ID, the stored reference resolves to that user's profile and is consumed by the DDNS worker for the attacker's server. Suggested remediation Apply both bind-time and worker-time validation. At bind time: Reject nonexistent DDNS profile IDs. Reject DDNS profile IDs that do not belong to the caller/server owner. Reject or limit excessive DDNS profile ID lists if range prebinding is not intended. At worker time: Revalidate that every resolved DDNS profile still belongs to the owner of the server being processed. Skip or remove stale, nonexistent, or foreign DDNS profile references before provider dispatch. Suggested regression tests: TestUpdateServerRejectsNonexistentDDNSProfileIDs TestUpdateServerRejectsForeignDDNSProfileIDs TestUpdateServerAcceptsOwnedDDNSProfileIDs TestUpdateDDNSSkipsStaleOrForeignStoredDDNSProfiles Security relevance A direct bind to an existing foreign DDNS profile is already denied, which shows the intended ownership boundary. The issue is that the same boundary can be bypassed by storing a future unresolved ID before the victim profile exists. The worker later treats the stored ID as trusted and dispatches a DDNS update using the victim profile's provider configuration with attacker server context. This is an authorization issue in a deferred worker path, not merely malformed input. Limitations The attacker does not read victim DDNS credentials through the validated path. Exploitation may require predicting or prebinding future global auto-increment DDNS profile IDs. The downstream DNS impact depends on the victim profile's provider configuration. External DNS modification was not claimed as guaranteed across all providers.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
CVE-2026-53521 has a CVSS score of 6.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.1.0). Upgrading removes the vulnerable code path.
go
github.com/nezhahq/nezha (>= 2.0.14, < 2.1.0)github.com/nezhahq/nezha → 2.1.0 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-53521 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-53521 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-53521 in your environment →Upgrade github.com/nezhahq/nezha to 2.1.0 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-53521 is a medium-severity incorrect authorization vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 2.0.14, < 2.1.0. It is fixed in 2.1.0. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
CVE-2026-53521 has a CVSS score of 6.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/nezhahq/nezha (go) versions >= 2.0.14, < 2.1.0 is affected.
Yes. CVE-2026-53521 is fixed in 2.1.0. Upgrade to this version or later.
Whether CVE-2026-53521 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/nezhahq/nezha to 2.1.0 or later.