CVE-2026-53519: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in nezhahq nezha
Nezha Monitoring versions prior to 2.0.13 contain a path traversal vulnerability in the dashboard's NoRoute handler. The vulnerability arises because the fallbackToFrontend function incorrectly uses a prefix check that allows crafted URLs to escape the intended admin-frontend asset directory and access arbitrary files on the server without authentication. This issue has been fixed in version 2.0.13.
AI Analysis
Technical Summary
CVE-2026-53519 is a path traversal vulnerability (CWE-22) in Nezha Monitoring, a self-hostable server and website monitoring tool. Before version 2.0.13, the dashboard's NoRoute handler uses strings.HasPrefix to identify admin-frontend asset requests starting with '/dashboard'. This check is insufficient because it does not match path segments, allowing inputs like '/dashboard../data/config.yaml' to bypass restrictions. The path normalization via path.Join results in access to files outside the intended directory, which are then served by http.ServeFile without authentication. This vulnerability allows an unauthenticated attacker to read arbitrary files on the server. The issue is patched in version 2.0.13.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to read arbitrary files on the server hosting Nezha Monitoring by crafting specially formed URLs. This leads to a confidentiality breach with high impact, as sensitive configuration or data files could be exposed. There is no impact on integrity or availability reported.
Mitigation Recommendations
This vulnerability has been fixed in Nezha Monitoring version 2.0.13. Users should upgrade to version 2.0.13 or later to remediate this issue. No other mitigation or temporary workaround is indicated by the vendor advisory.
CVE-2026-53519: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in nezhahq nezha
Description
Nezha Monitoring versions prior to 2.0.13 contain a path traversal vulnerability in the dashboard's NoRoute handler. The vulnerability arises because the fallbackToFrontend function incorrectly uses a prefix check that allows crafted URLs to escape the intended admin-frontend asset directory and access arbitrary files on the server without authentication. This issue has been fixed in version 2.0.13.
CVSS v3.1
Score 9.1critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-53519 is a path traversal vulnerability (CWE-22) in Nezha Monitoring, a self-hostable server and website monitoring tool. Before version 2.0.13, the dashboard's NoRoute handler uses strings.HasPrefix to identify admin-frontend asset requests starting with '/dashboard'. This check is insufficient because it does not match path segments, allowing inputs like '/dashboard../data/config.yaml' to bypass restrictions. The path normalization via path.Join results in access to files outside the intended directory, which are then served by http.ServeFile without authentication. This vulnerability allows an unauthenticated attacker to read arbitrary files on the server. The issue is patched in version 2.0.13.
Potential Impact
An unauthenticated attacker can exploit this vulnerability to read arbitrary files on the server hosting Nezha Monitoring by crafting specially formed URLs. This leads to a confidentiality breach with high impact, as sensitive configuration or data files could be exposed. There is no impact on integrity or availability reported.
Mitigation Recommendations
This vulnerability has been fixed in Nezha Monitoring version 2.0.13. Users should upgrade to version 2.0.13 or later to remediate this issue. No other mitigation or temporary workaround is indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-09T17:30:33.456Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c7c90e617e2d834c6c7bb
Added to database: 6/12/2026, 9:39:28 PM
Last enriched: 6/12/2026, 9:54:27 PM
Last updated: 6/13/2026, 1:15:33 AM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.