PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59155 nezhahq CVE debrief

Nezha Monitoring, a self-hostable and lightweight tool for monitoring servers and websites, had an issue in versions prior to 2.2.5. The GET /api/v1/ddns and GET /api/v1/notification endpoints returned full resource objects, including plaintext third-party API credentials. This exposure risked sensitive information such as Cloudflare API tokens, TencentCloud SecretKeys, and webhook URLs with embedded bot tokens. The issue allowed any authenticated admin or PAT with nezha:ddns:read or nezha:notification:read scope to receive stored credentials through the listDDNS and listNotification handlers in a single API response. This vulnerability is fixed in version 2.2.5.

Vendor
nezhahq
Product
nezha
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of Nezha Monitoring versions prior to 2.2.5 should be aware of this vulnerability and take immediate action to update their installations. This issue is particularly concerning for administrators who have integrated third-party services like Cloudflare, TencentCloud, Slack, Discord, or Telegram with their Nezha Monitoring setup.

Technical summary

The CVE-2026-59155 vulnerability in Nezha Monitoring versions prior to 2.2.5 exposed sensitive third-party API credentials through its API endpoints. Specifically, the GET /api/v1/ddns and GET /api/v1/notification endpoints returned full resource objects, including plaintext credentials for services like Cloudflare, TencentCloud, Slack, Discord, and Telegram. This issue was due to a lack of field-level redaction in the API responses. The vulnerability could be exploited by any authenticated admin or user with the nezha:ddns:read or nezha:notification:read scope, allowing them to obtain sensitive information through the listDDNS and listNotification handlers.

Defensive priority

High

Recommended defensive actions

  • Update Nezha Monitoring to version 2.2.5 or later
  • Review and rotate exposed third-party API credentials
  • Restrict access to the listDDNS and listNotification handlers
  • Implement additional monitoring for suspicious API activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

The CVE record and NVD entry provide details about this vulnerability. The issue is fixed in Nezha Monitoring version 2.2.5. Users should update their installations and review their security configurations to prevent exploitation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T22:16:45.487Z and has not been modified since.