Nezha Monitoring: Pre-Auth Config Leak + Cross-Tenant Terminal Hijack. The Observability Pattern Continues.

Two Criticals in One Monitoring Platform

Nezha, a 10,000-star self-hosted server monitoring platform used across home labs, small businesses, and development teams, carries two critical vulnerabilities that chain into complete infrastructure compromise. CVE-2026-53519 (CVSS 9.1) exposes the JWT secret key without authentication. A second flaw scores CVSS 9.9 and enables any authenticated member to hijack another user's live terminal session.

The path traversal is elegant: Go's strings.HasPrefix matches /dashboard.. as a valid dashboard path, bypassing route guards. The attacker requests /dashboard../config.yaml and receives the server's jwt_secret_key. With that key, they forge admin tokens. The WebSocket terminal hijack is simpler — session UUIDs have no ownership validation, so any authenticated user can connect to any other user's terminal or file manager session.

The Observability Stack Is the Pattern

Yesterday it was Fluentd — the CNCF log collector with a CVSS 9.8 RCE via tag injection. Today it's Nezha — the monitoring dashboard leaking its own secrets. The pattern is unmistakable: observability tools are systematically less hardened than the infrastructure they monitor.

These aren't obscure tools. They're the platforms operations teams rely on for visibility into their infrastructure. When the monitoring platform is the vulnerability, you lose both security and visibility simultaneously. The attacker compromises the tool, then watches you through it.

AI Multiplies This Risk

Remediation

Update Nezha immediately. Rotate all JWT secrets. Audit WebSocket session handling for ownership validation. And ask the harder question: should monitoring platforms run with the same network access as the infrastructure they monitor, or should they be isolated behind their own security boundary?