HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-53519Published Modified CNA GitHub_M

CVE-2026-53519: Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secret_key

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to version 2.0.13, fallbackToFrontend in the dashboard's NoRoute handler treats any URL whose raw string starts with /dashboard as an admin-frontend asset request. The check uses strings.HasPrefix, not a path-segment match, so the input /dashboard../data/config.yaml is accepted; strings.TrimPrefix leaves ../data/config.yaml; and path.Join("admin-dist", "../data/config.yaml") normalizes to data/config.yaml — which os.Stat finds and http.ServeFile returns. No authentication required. This issue has been patched in version 2.0.13.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Nezha Monitoring's dashboard handler allows an unauthenticated remote attacker to read arbitrary files from the server's working directory. The flaw stems from a prefix check using strings.HasPrefix rather than a proper path-segment comparison, so a crafted URL like /dashboard../data/config.yaml bypasses the guard and resolves to a file outside the intended admin-dist directory via path.Join normalization. Successful exploitation leaks sensitive files including jwt_secret_key from the config, enabling full authentication bypass and data tampering. A patched-image rebuild at version 2.0.13 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-53519 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from nezhahq/nezha base layers. Any image pinned to a version below 2.0.13 will surface as a match in both registry scans and active CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at 9.1 CRITICAL (CVSS v3.1) and surfaces it at the top of the severity queue for any affected image. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the inbox or ticketing integration configured for each customer organization.

Available
Patch

Because no upstream fix was published at the time of this CVE's initial disclosure, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild at version 2.0.13 available the moment the upstream release is confirmed as the canonical fix. For customers with auto-remediation enabled, the rebuild triggers automatically, paired with a regression test run and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable dashboard handler is exposed over the network; an attacker must be able to reach the HTTP/HTTPS port of the Nezha Monitoring instance to send the crafted URL.

  • AuthenticationNot required

    No credentials or session token are needed; the path traversal occurs inside the NoRoute handler before any authentication check is applied.

  • Victim interactionNot required

    The attacker sends a direct HTTP request to the server; no user action or social engineering is involved.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; the attacker simply crafts a URL with the /dashboard.. prefix and the target relative path, with no race conditions or environment-specific layout requirements.

Blast Radius

  • Reads arbitrary files accessible to the Nezha Monitoring process, starting with data/config.yaml, which contains jwt_secret_key.
  • With jwt_secret_key in hand, an attacker forges valid JWT tokens and gains full administrative access to the dashboard and its API.
  • Authenticated API access allows an attacker to modify monitored host configurations, webhook targets, notification channels, and stored credentials for managed servers.
  • Sensitive data for all monitored servers and websites managed through the Nezha instance is exposed to the attacker.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-53519 is active and matches any image running nezhahq/nezha below version 2.0.13. Because the CVSS score is 9.1 CRITICAL and a confirmed fix exists at version 2.0.13, a patched-image rebuild targeting that version is available for affected environments. For customers with auto-remediation enabled, the workflow includes an automated rebuild, a regression test run, and a PR opened against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Until a rebuild is deployed, recommended compensating controls include placing the Nezha dashboard behind a network policy that restricts inbound access to trusted source IPs, applying egress filtering to prevent exfiltration of harvested secrets, and treating any existing jwt_secret_key as compromised by rotating it and invalidating all active sessions.

See how HarborGuard automates this
Affected packages
  • nezhahq / nezha
    < 2.0.13
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References