PatchSiren cyber security CVE debrief
CVE-2026-49397 nezhahq CVE debrief
Nezha Monitoring, a self-hostable, lightweight tool for monitoring servers and websites, had a vulnerability from version 2.0.0 to before 2.0.14. The issue allowed for the enumeration of private services (`EnableShowInService: false`) via per-server endpoints, potentially leaking service names and timing data. This vulnerability has been patched in version 2.0.14.
- Vendor
- nezhahq
- Product
- nezha
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Nezha Monitoring, especially those who have private services configured (`EnableShowInService: false`), should be aware of this vulnerability and ensure they are running version 2.0.14 or later to mitigate the risk.
Technical summary
The vulnerability, with a CVSS score of 5.3 (Medium severity), involves CWE-200 (Information Exposure), CWE-285 (Improper Authorization), and CWE-863 (Incorrect Authorization). It allows attackers to enumerate private services, potentially exposing sensitive information about the services' existence and timing.
Defensive priority
Medium
Recommended defensive actions
- Update Nezha Monitoring to version 2.0.14 or later to patch the vulnerability.
- Review and restrict access to per-server endpoints to prevent unauthorized enumeration of private services.
Evidence notes
The vulnerability was patched in version 2.0.14 of Nezha Monitoring. For more information, refer to [ref-4](https://github.com/nezhahq/nezha/security/advisories/GHSA-vrmh-5mmx-hjwx).
Official resources
-
CVE-2026-49397 CVE record
CVE.org
-
CVE-2026-49397 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-49397 was published on 2026-06-12T22:16:51.813Z and has not been modified since then.