Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible API requires high privileges (PR:H); full plaintext credential disclosure warrants C:H; no integrity or availability impact from the disclosure itself.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.
AnalysisAI
Nezha Monitoring versions prior to 2.2.5 expose stored third-party API credentials in plaintext through two listing API endpoints to any authenticated admin or PAT holder with read-scoped access. The GET /api/v1/ddns and GET /api/v1/notification handlers serialize full database objects - including Cloudflare API tokens, TencentCloud SecretKeys, and Slack, Discord, and Telegram webhook URLs with embedded bot tokens - without any field-level redaction, enabling a single API call to harvest all configured credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session on the Nezha instance - either an admin account or a personal access token (PAT) scoped to nezha:ddns:read (to extract DDNS provider credentials) or nezha:notification:read (to extract notification channel secrets including webhook tokens). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, score 6.9) accurately reflects that exploitation requires high-privilege authentication, substantially constraining the threat surface relative to unauthenticated flaws. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator with a PAT scoped to nezha:ddns:read issues a single authenticated GET request to /api/v1/ddns and receives a JSON array containing the full Cloudflare API token stored in Nezha. The operator then uses that token directly against the Cloudflare API to enumerate DNS zones and modify DNS records, enabling traffic redirection or subdomain takeover on infrastructure managed by the Nezha deployment owner - all without any access to Nezha's administrative interface. |
| Remediation | Upgrade Nezha Monitoring to v2.2.5, which introduces field-level redaction for credential fields in the listDDNS and listNotification API responses. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated path traversal in Nezha Monitoring (nezhahq/nezha) before 2.0.13 allows remote attackers to read arbitra
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
Unbounded WebSocket stream allocation in Nezha Monitoring versions 1.0.0 through 2.1.x allows any authenticated dashboar
Nezha Monitoring versions 2.0.14 through 2.1.0 (exclusive) allows any authenticated user to exploit the NAT-based Host c
Incorrect authorization in Nezha Monitoring's DDNS profile subsystem allows an authenticated low-privilege member to pre
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43108