CVE-2026-47124: Nezha Monitoring: Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated members

May 23, 2026

Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by HasPermission, but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list.

References

github.com/advisories/GHSA-hvv7-hfrh-7gxj
github.com/nezhahq/nezha/security/advisories/GHSA-hvv7-hfrh-7gxj
nvd.nist.gov/vuln/detail/CVE-2026-47124

Code Behaviors & Features

Detect and mitigate CVE-2026-47124 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →