Listen to this Post
This vulnerability affects Nezha Monitoring, a self-hosted, lightweight server and website monitoring tool. The platform supports two user roles: `RoleAdmin` (administrator) and `RoleMember` (standard user). The core of the issue lies in the WebSocket endpoints `GET /ws/terminal/:id` and GET /ws/file/:id. These endpoints are designed to provide interactive shell access and file management capabilities for monitored servers.
The vulnerability stems from a missing ownership check in the stream allocation and attachment process. When a stream (terminal or file manager session) is created, the system generates a unique UUID and stores it in an in-memory map without associating it with the user who created it. The subsequent WebSocket connection to `GET /ws/terminal/:id` or `GET /ws/file/:id` only validates that the provided `:id` (the UUID) exists in this map. It does not verify that the authenticated user making the request is the same user who originally created the stream.
This design flaw allows any authenticated user, including a low-privilege RoleMember, who can obtain a valid live stream UUID to hijack the session. An attacker can passively leak the UUID through various side channels, such as reverse-proxy access logs (e.g., nginx, Caddy), Referer headers, browser history, or frontend telemetry data. Once the UUID is captured, the attacker can use it to connect to the WebSocket endpoint, gaining full interactive shell access or complete file-manager control over the target server. This effectively results in a cross-tenant Remote Code Execution (RCE) vulnerability. This issue was silently fixed in commit `6661d6a` on 2026-05-18 and shipped in version v2.0.10. However, the v1.14 line has not received a backport.
DailyCVE Form
Platform: Nezha Dashboard
Version: v1.14.13–v1.14.14, v2.0.0–v2.0.9
Vulnerability: Cross-Tenant Session Hijack
Severity: Critical
date: 2026-06-26
Prediction: 2026-05-19 (v2.0.10)
What Undercode Say: Analytics
The vulnerability is rooted in the stream management logic. Below are code snippets and concepts from the vulnerable versions.
Stream Allocation (`service/rpc/io_stream.go` in v2.0.9):
The `CreateStream` function creates a stream and stores it in a map without any user context.
func (s NezhaHandler) CreateStream(streamId string) {
s.ioStreamMutex.Lock()
defer s.ioStreamMutex.Unlock()
s.ioStreams[bash] = &ioStreamContext{
userIoConnectCh: make(chan struct{}),
agentIoConnectCh: make(chan struct{}),
}
}
No creator is bound to the stream.
Stream Attach (`cmd/dashboard/controller/terminal.go` in v2.0.9):
The `terminalStream` function only checks if the UUID exists (GetStream(streamId)) before upgrading to a WebSocket connection. It does not compare the authenticated user (getUid(c)) against the stream’s creator.
// @Router /ws/terminal/{id} [bash]
func terminalStream(c gin.Context) (any, error) {
streamId := c.Param("id")
if _, err := rpc.NezhaHandlerSingleton.GetStream(streamId); err != nil {
return nil, err
}
defer rpc.NezhaHandlerSingleton.CloseStream(streamId)
// ... WebSocket upgrade and bidirectional pipe ...
}
The same pattern is present in `fmStream(c)` in cmd/dashboard/controller/fm.go.
UUID Leakage Vectors:
- Reverse-proxy access logs (nginx, Caddy, Cloudflare).
- Referer headers.
- Browser history / bookmark sync.
- Frontend telemetry (Sentry, Bugsnag) breadcrumbs.
How Exploit:
- Prerequisites: Have an authenticated account on the Nezha dashboard (any role, including
RoleMember). - Capture UUID: As a legitimate user (e.g.,
admin), open a terminal or file manager session for a target server. The browser will connect to a WebSocket URL likewss://<dashboard>/ws/terminal/<UUID>. Capture this UUID from the network inspector, server access logs, or Referer header. - Hijack Session: From a separate session logged in as a different user (e.g.,
member), open a WebSocket connection to `wss:///ws/terminal/ ` using the same UUID. - Achieve RCE: The
member‘s WebSocket will attach to the same `ioStreamContext` because `terminalStream` only checksGetStream(streamId). The attacker can now read the admin’s shell output and inject keystrokes, achieving shell-level RCE on the target server. The same flow works against `/ws/file/:id` for arbitrary file read/write.
Protection:
- Upgrade: The primary and most effective mitigation is to upgrade to Nezha version v2.0.10 or later.
- Backport: For v1.14.x deployments, operators should backport the fix from commit `6661d6a` to a v1.14.15 release, or mark the v1.14 line as end-of-life.
- Monitor Logs: Actively monitor access logs for unusual WebSocket connection attempts to `/ws/terminal/` or `/ws/file/` from unexpected IPs or user accounts.
- Restrict Access: Limit dashboard access to trusted users and networks where possible.
Impact
- Severity: Critical.
- Attack Complexity: Low. The attacker only needs an authenticated dashboard account and one captured UUID from a side channel.
- Confidentiality / Integrity / Availability: All High.
- Cross-Tenant RCE: An attacker can gain interactive shell access or full file-manager control on a server administered by another user.
- No Audit Signal: The legitimate session owner receives no visible signal that their session has been hijacked.
- Worse than CVE-2026-46716: The entry point is a passively-leaked URL rather than an authenticated POST, meaning attackers do not need direct dashboard interaction once the UUID is leaked.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
