Skip to main content

Nezha Monitoring EUVD-2026-36601

| CVE-2026-53522 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-12 GitHub_M
Denial Of Service Nezha
6.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
6.5 MEDIUM

Network-reachable dashboard API requires only low-privilege auth; no complexity or interaction needed; impact is exclusively availability with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 23:01 EUVD
Analysis Generated
Jun 12, 2026 - 22:19 vuln.today
CVE Published
Jun 12, 2026 - 21:04 cve.org
MEDIUM 6.5

DescriptionCVE.org

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-lived WebSocket streams to monitored agents: POST /api/v1/terminal → createTerminal() (terminal.go:27-67) and POST /api/v1/file → createFM() (fm.go:28-67). Both call rpc.NezhaHandlerSingleton.CreateStream(streamId, ...) which inserts a new ioStreamContext into an unbounded map[string]*ioStreamContext (s.ioStreams in io_stream.go:59-67). There is no per-user rate limit, no global semaphore, and no per-server connection cap. This issue has been patched in version 2.2.0.

AnalysisAI

Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboard user to exhaust server memory and crash the monitoring service. The two affected endpoints - POST /api/v1/terminal and POST /api/v1/file - each insert a long-lived ioStreamContext into a global Go map with no per-user rate limit, no global semaphore, and no per-server connection cap, making repeated calls a trivial denial-of-service vector. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege dashboard credentials
Delivery
Send rapid POST requests to /api/v1/terminal or /api/v1/file
Exploit
Each request calls CreateStream() inserting a new ioStreamContext into unbounded global map
Execution
Heap memory grows without limit
Persist
Go runtime exhausts available memory
Impact
Nezha dashboard crashes and monitoring becomes unavailable
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Nezha dashboard account at any privilege level (PR:L per CVSS vector) - no administrative role is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 6.5 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H is a fair representation of real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privilege Nezha dashboard account - whether via credential theft, a shared team account, or a compromised user - writes a simple loop that issues repeated POST requests to /api/v1/terminal or /api/v1/file. Each request registers a new ioStreamContext in the global unbounded map without triggering any server-side limit, causing heap allocation to grow continuously until the Go runtime crashes the dashboard process and monitoring visibility is lost for all operators.
Remediation Upgrade Nezha Monitoring to version 2.2.0 or later, which introduces the necessary resource controls on stream creation for both the terminal and file manager endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-53519 CRITICAL
9.1 Jun 12

Unauthenticated path traversal in Nezha Monitoring (nezhahq/nezha) before 2.0.13 allows remote attackers to read arbitra
CVE-2026-53523 MEDIUM
6.8 Jun 12

Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
CVE-2026-53520 MEDIUM
6.5 Jun 12

Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host c
CVE-2026-53521 MEDIUM
6.4 Jun 12

Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre

Share

EUVD-2026-36601 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy