Skip to main content

Nezha Monitoring EUVDEUVD-2026-43108

| CVE-2026-59155 MEDIUM
Information Exposure (CWE-200)
2026-07-10 GitHub_M
6.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.9 MEDIUM

Network-accessible API requires high privileges (PR:H); full plaintext credential disclosure warrants C:H; no integrity or availability impact from the disclosure itself.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 23:02 EUVD
Analysis Generated
Jul 10, 2026 - 22:23 vuln.today

DescriptionCVE.org

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud SecretKeys, Slack, Discord, and Telegram webhook URLs with embedded bot tokens, and Authorization header values, without any field-level redaction. Any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope can receive stored credentials through the listDDNS and listNotification handlers in a single API response. This issue is fixed in version 2.2.5.

AnalysisAI

Nezha Monitoring versions prior to 2.2.5 expose stored third-party API credentials in plaintext through two listing API endpoints to any authenticated admin or PAT holder with read-scoped access. The GET /api/v1/ddns and GET /api/v1/notification handlers serialize full database objects - including Cloudflare API tokens, TencentCloud SecretKeys, and Slack, Discord, and Telegram webhook URLs with embedded bot tokens - without any field-level redaction, enabling a single API call to harvest all configured credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid admin account or scoped PAT
Delivery
Send GET /api/v1/ddns or /api/v1/notification
Exploit
Receive full plaintext credentials in JSON response
Execution
Extract Cloudflare tokens or TencentCloud SecretKeys
Persist
Authenticate directly to third-party cloud APIs
Impact
Modify external infrastructure or exfiltrate data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the Nezha instance - either an admin account or a personal access token (PAT) scoped to nezha:ddns:read (to extract DDNS provider credentials) or nezha:notification:read (to extract notification channel secrets including webhook tokens). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N, score 6.9) accurately reflects that exploitation requires high-privilege authentication, substantially constraining the threat surface relative to unauthenticated flaws. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator with a PAT scoped to nezha:ddns:read issues a single authenticated GET request to /api/v1/ddns and receives a JSON array containing the full Cloudflare API token stored in Nezha. The operator then uses that token directly against the Cloudflare API to enumerate DNS zones and modify DNS records, enabling traffic redirection or subdomain takeover on infrastructure managed by the Nezha deployment owner - all without any access to Nezha's administrative interface.
Remediation Upgrade Nezha Monitoring to v2.2.5, which introduces field-level redaction for credential fields in the listDDNS and listNotification API responses. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy