EUVD-2026-36600Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Network API exploitable by authenticated members (PR:L); no complexity; scope change reflects cross-tenant DDNS dispatch; no direct confidentiality impact since victim credentials are not returned to the attacker.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_profiles IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user's DDNS profile configuration in the context of the attacker's server. This issue has been patched in version 2.1.0.
AnalysisAI
Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre-populate their server record with nonexistent DDNS profile IDs, then hijack any future victim-owned DDNS profile whose auto-assigned ID collides with a pre-stored value. Affected versions span 2.0.14 through pre-2.1.0 of the self-hosted nezhahq/nezha platform. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a valid Nezha member account with write access to at least one registered server (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.4 Medium score with S:C accurately captures the cross-tenant nature of this flaw: the attacker does not gain direct access to victim credentials but causes the DDNS worker to act on the victim's behalf, constituting a meaningful authorization boundary violation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a Nezha member account sends a PATCH /server/{id} request for their own registered server, supplying a ddns_profiles field referencing IDs such as 150, 151, and 152 - values not yet assigned to any profile in the database. A victim user subsequently creates a DDNS profile pointing to their Cloudflare account's API token and domain; the database auto-assigns this profile ID 150. … |
| Remediation | Vendor-released patch: version 2.1.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Unauthenticated path traversal in Nezha Monitoring (nezhahq/nezha) before 2.0.13 allows remote attackers to read arbitra
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboar
Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host c
Share
External POC / Exploit Code
Leaving vuln.today