How is CVE-2026-48119 exploited?

Network reachability (required): The attacker must reach the Nezha Monitoring service over the network to submit forged agent reports. Authentication (required): A low-privilege authenticated agent account is sufficient; no administrative or elevated credentials are needed. Victim interaction (not-required): No action from another user or administrator is required; the attacker submits forged results directly to the service. Attack complexity (info): The exploit is reliable and condition-free, requiring no race conditions or special environmental setup.

What is the impact of CVE-2026-48119?

An attacker submits fabricated health or latency results for services they do not own, replacing legitimate monitoring data with attacker-controlled values. False results suppress alerts or trigger false alarms for other users' services, masking real outages or manufacturing phantom incidents. Persistent injection of forged data degrades the reliability of availability records, corrupting historical uptime metrics and SLA reporting. Downstream automated responses (such as on-call triggers or auto-scaling rules) that rely on monitoring data can be manipulated into taking incorrect actions.

Back to search

HIGHCVE-2026-48119Published 2026-06-12Modified 2026-06-12CNA GitHub_M

CVE-2026-48119: Nezha Monitoring: Authenticated agents can forge service-monitor results for other users' services

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.12, authenticated agents can forge service-monitor results for other users' services. This issue has been patched in version 2.0.12.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an authenticated data-tampering vulnerability in Nezha Monitoring, a self-hostable server and website monitoring tool. An attacker with any valid agent credential can send forged service-monitor results that overwrite or corrupt monitoring data belonging to other users' services; no elevated privileges are needed beyond a basic authenticated agent account. Successful exploitation lets an attacker manipulate monitoring outcomes, causing false health reports, suppressed alerts, or degraded availability readings for services they do not own. A patched release (version 2.0.12) exists upstream; a patched-image rebuild is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Nezha Monitoring. Scans run continuously against both registry images and active pipeline builds, so new image pushes are checked without manual intervention.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 (High) and weighting it against each environment's compliance policy to determine urgency and routing. Triage results are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at version 2.0.12 is available on HarborGuard for any environment found running an affected version (>= 0.20.0, < 2.0.12). For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Nezha Monitoring service over the network to submit forged agent reports.
AuthenticationRequired
A low-privilege authenticated agent account is sufficient; no administrative or elevated credentials are needed.
Victim interactionNot required
No action from another user or administrator is required; the attacker submits forged results directly to the service.
Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or special environmental setup.

Blast Radius

An attacker submits fabricated health or latency results for services they do not own, replacing legitimate monitoring data with attacker-controlled values.
False results suppress alerts or trigger false alarms for other users' services, masking real outages or manufacturing phantom incidents.
Persistent injection of forged data degrades the reliability of availability records, corrupting historical uptime metrics and SLA reporting.
Downstream automated responses (such as on-call triggers or auto-scaling rules) that rely on monitoring data can be manipulated into taking incorrect actions.

How HarborGuard Handles This

Available on HarborGuard: any image containing a Nezha Monitoring build in the affected range (>= 0.20.0, < 2.0.12) is flagged automatically as this CVE is ingested. A patched-image rebuild at version 2.0.12 becomes available for affected images once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, executes a regression run, and opens a pull request against affected workloads; for High-severity issues, median time from CVE publication to merged patch PR in auto-remediation environments is around 90 minutes. For environments where an immediate rebuild is not yet actionable, compensating controls include applying network policies that restrict which hosts are permitted to submit agent reports, enforcing strict agent identity validation at the ingress layer, and auditing recent service-monitor submissions for anomalous cross-user patterns. HarborGuard re-evaluates the advisory on each ingest cycle and will surface the patched rebuild the moment it is confirmed available.

See how HarborGuard automates this

Affected packages

nezhahq / nezha
>= 0.20.0, < 2.0.12

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

References

https://github.com/nezhahq/nezha/security/advisories/GHSA-4g6j-g789-rghm

Metrics

Get notified