GHSA-WW5P-J6CJ-6MQQ

Vulnerability from github – Published: 2026-06-26 23:55 – Updated: 2026-06-26 23:55
VLAI
Summary
Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API
Details

Summary

The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — without any field-level redaction. Any authenticated admin who calls these endpoints receives every stored credential in the system in a single API response. A compromised admin session or leaked PAT with nezha:ddns:read or nezha:notification:read scope exposes all third-party integration secrets.

Details

The listDDNS and listNotification handlers follow an identical pattern: they call the corresponding singleton GetSortedList(), copier.Copy the full in-memory structs into a response slice, and return them via listHandler with zero field stripping.

DDNS — cmd/dashboard/controller/ddns.go:25–33:

func listDDNS(c *gin.Context) ([]*model.DDNSProfile, error) {
    var ddnsProfiles []*model.DDNSProfile
    list := singleton.DDNSShared.GetSortedList()
    if err := copier.Copy(&ddnsProfiles, &list); err != nil {
        return nil, err
    }
    return ddnsProfiles, nil
}

The DDNSProfile struct (model/ddns.go:20–36) serializes AccessSecret with json:"access_secret,omitempty" — non-empty Cloudflare tokens and TencentCloud SecretKeys are returned in cleartext. The WebhookURL and WebhookHeaders fields may also contain embedded secrets.

Notification — cmd/dashboard/controller/notification.go:25–33:

func listNotification(c *gin.Context) ([]*model.Notification, error) {
    slist := singleton.NotificationShared.GetSortedList()
    var notifications []*model.Notification
    if err := copier.Copy(&notifications, &slist); err != nil {
        return nil, err
    }
    return notifications, nil
}

The Notification struct (model/notification.go:34–44) serializes URL, RequestHeader, and RequestBody — all of which commonly contain embedded bot tokens (Slack, Discord, Telegram), API keys in Authorization headers, and webhook secrets.

Route and authorization (cmd/dashboard/controller/controller.go:155, 171):

auth.GET("/notification", restScopeMiddleware(model.ScopeNotificationRead), listHandler(listNotification))
auth.GET("/ddns", restScopeMiddleware(model.ScopeDDNSRead), listHandler(listDDNS))

Both routes are behind authMw (JWT or PAT) and the corresponding read scope. The listHandlerfilter chain uses HasPermission (model/common.go:63–82) which grants admins access to ALL profiles and restricts members to their own. No separate response struct or field masking exists anywhere in the codebase — confirmed by exhaustive search for DDNSResponse, DDNSView, NotificationResponse, NotificationView, or any JSON middleware that strips sensitive fields.

The codebase already demonstrates awareness of this pattern: serverConfigSensitiveScope() in cmd/dashboard/controller/api_token_scope.go:117 was introduced to restrict client_secret exposure via GET /server/config/:id, tightening the scope from ScopeServerRead to ScopeServerWrite. No equivalent protection exists for the DDNS or Notification list endpoints.

Tested at commit 3d74cd94 (master, post v2.2.3). The vulnerable pattern has existed since the DDNS and notification list endpoints were introduced.

PoC

  1. Deploy nezha with at least one admin user. Configure a DDNS profile with a Cloudflare API token (AccessSecret) and a Notification webhook pointing to a Slack incoming webhook URL (https://hooks.slack.com/services/T.../B.../xxx...).

  2. Authenticate as the admin user. Call:

```bash # DDNS credentials exposed curl -s -H "Authorization: Bearer " \ https://dashboard.example.com/api/v1/ddns \ | jq '.data[].access_secret'

# Notification webhook secrets exposed curl -s -H "Authorization: Bearer " \ https://dashboard.example.com/api/v1/notification \ | jq '.data[].url' ```

  1. Observe the full Cloudflare API token, Slack webhook URL with embedded token, and any RequestHeader values (e.g., Authorization: Bearer ...) returned in cleartext.

  2. Alternatively, create a PAT with nezha:ddns:read scope:

bash curl -s -H "Authorization: Bearer nzp_<pat_secret>" \ https://dashboard.example.com/api/v1/ddns \ | jq '.data[].access_secret'

If the PAT creator is an admin, all DDNS secrets are returned in a single response.

  1. Negative control: A member (non-admin) calling the same endpoints only sees their own profiles due to the HasPermission filter (model/common.go:63–82). However, an admin sees ALL profiles with ALL secrets. The security boundary crossed is the credential confidentiality boundary — a read-only listing endpoint should not return write-capable credentials.

Impact

An attacker who compromises an admin session or obtains a PAT with the appropriate read scope can exfiltrate all third-party API credentials stored in the dashboard — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram bot tokens, and any secrets embedded in webhook URLs or Authorization headers. These credentials can then be used to:

  • Modify DNS records for any domain managed via Cloudflare/TencentCloud DDNS profiles
  • Send messages as the Slack/Discord/Telegram bot to any configured channel
  • Access any other API the compromised credentials grant access to

The attack requires high privileges (admin JWT or PAT with appropriate scope), but the impact is amplified because a single API call exposes ALL stored credentials across ALL DDNS profiles and ALL notification webhooks, with no field-level access control separating metadata from secrets.

Suggested remediation: Introduce separate response structs (e.g., DDNSProfileResponse, NotificationResponse) that omit sensitive fields (AccessSecret, WebhookHeaders, URL, RequestHeader) from list/read endpoints, or use json:"-" tags on sensitive fields and provide them only through a dedicated credential-retrieval endpoint with stricter authorization (analogous to the existing serverConfigSensitiveScope() pattern).

Severity
5.5 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nezhahq/nezha"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T23:55:26Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `GET /api/v1/ddns` and `GET /api/v1/notification` endpoints return full resource objects including plaintext third-party API credentials \u2014 Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values \u2014 without any field-level redaction. Any authenticated admin who calls these endpoints receives every stored credential in the system in a single API response. A compromised admin session or leaked PAT with `nezha:ddns:read` or `nezha:notification:read` scope exposes all third-party integration secrets.\n\n### Details\n\nThe `listDDNS` and `listNotification` handlers follow an identical pattern: they call the corresponding singleton `GetSortedList()`, `copier.Copy` the full in-memory structs into a response slice, and return them via `listHandler` with zero field stripping.\n\n**DDNS \u2014 `cmd/dashboard/controller/ddns.go:25\u201333`:**\n\n```go\nfunc listDDNS(c *gin.Context) ([]*model.DDNSProfile, error) {\n    var ddnsProfiles []*model.DDNSProfile\n    list := singleton.DDNSShared.GetSortedList()\n    if err := copier.Copy(\u0026ddnsProfiles, \u0026list); err != nil {\n        return nil, err\n    }\n    return ddnsProfiles, nil\n}\n```\n\nThe `DDNSProfile` struct (`model/ddns.go:20\u201336`) serializes `AccessSecret` with `json:\"access_secret,omitempty\"` \u2014 non-empty Cloudflare tokens and TencentCloud SecretKeys are returned in cleartext. The `WebhookURL` and `WebhookHeaders` fields may also contain embedded secrets.\n\n**Notification \u2014 `cmd/dashboard/controller/notification.go:25\u201333`:**\n\n```go\nfunc listNotification(c *gin.Context) ([]*model.Notification, error) {\n    slist := singleton.NotificationShared.GetSortedList()\n    var notifications []*model.Notification\n    if err := copier.Copy(\u0026notifications, \u0026slist); err != nil {\n        return nil, err\n    }\n    return notifications, nil\n}\n```\n\nThe `Notification` struct (`model/notification.go:34\u201344`) serializes `URL`, `RequestHeader`, and `RequestBody` \u2014 all of which commonly contain embedded bot tokens (Slack, Discord, Telegram), API keys in Authorization headers, and webhook secrets.\n\n**Route and authorization (`cmd/dashboard/controller/controller.go:155, 171`):**\n\n```go\nauth.GET(\"/notification\", restScopeMiddleware(model.ScopeNotificationRead), listHandler(listNotification))\nauth.GET(\"/ddns\", restScopeMiddleware(model.ScopeDDNSRead), listHandler(listDDNS))\n```\n\nBoth routes are behind `authMw` (JWT or PAT) and the corresponding read scope. The `listHandler` \u2192 `filter` chain uses `HasPermission` (`model/common.go:63\u201382`) which grants admins access to ALL profiles and restricts members to their own. No separate response struct or field masking exists anywhere in the codebase \u2014 confirmed by exhaustive search for `DDNSResponse`, `DDNSView`, `NotificationResponse`, `NotificationView`, or any JSON middleware that strips sensitive fields.\n\nThe codebase already demonstrates awareness of this pattern: `serverConfigSensitiveScope()` in `cmd/dashboard/controller/api_token_scope.go:117` was introduced to restrict `client_secret` exposure via `GET /server/config/:id`, tightening the scope from `ScopeServerRead` to `ScopeServerWrite`. No equivalent protection exists for the DDNS or Notification list endpoints.\n\n**Tested at commit `3d74cd94` (master, post v2.2.3).** The vulnerable pattern has existed since the DDNS and notification list endpoints were introduced.\n\n### PoC\n\n1. Deploy nezha with at least one admin user. Configure a DDNS profile with a Cloudflare API token (AccessSecret) and a Notification webhook pointing to a Slack incoming webhook URL (`https://hooks.slack.com/services/T.../B.../xxx...`).\n\n2. Authenticate as the admin user. Call:\n\n   ```bash\n   # DDNS credentials exposed\n   curl -s -H \"Authorization: Bearer \u003cadmin_jwt\u003e\" \\\n     https://dashboard.example.com/api/v1/ddns \\\n     | jq \u0027.data[].access_secret\u0027\n\n   # Notification webhook secrets exposed\n   curl -s -H \"Authorization: Bearer \u003cadmin_jwt\u003e\" \\\n     https://dashboard.example.com/api/v1/notification \\\n     | jq \u0027.data[].url\u0027\n   ```\n\n3. Observe the full Cloudflare API token, Slack webhook URL with embedded token, and any `RequestHeader` values (e.g., `Authorization: Bearer ...`) returned in cleartext.\n\n4. Alternatively, create a PAT with `nezha:ddns:read` scope:\n\n   ```bash\n   curl -s -H \"Authorization: Bearer nzp_\u003cpat_secret\u003e\" \\\n     https://dashboard.example.com/api/v1/ddns \\\n     | jq \u0027.data[].access_secret\u0027\n   ```\n\n   If the PAT creator is an admin, all DDNS secrets are returned in a single response.\n\n5. **Negative control:** A member (non-admin) calling the same endpoints only sees their own profiles due to the `HasPermission` filter (`model/common.go:63\u201382`). However, an admin sees ALL profiles with ALL secrets. The security boundary crossed is the credential confidentiality boundary \u2014 a read-only listing endpoint should not return write-capable credentials.\n\n### Impact\n\nAn attacker who compromises an admin session or obtains a PAT with the appropriate read scope can exfiltrate all third-party API credentials stored in the dashboard \u2014 Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram bot tokens, and any secrets embedded in webhook URLs or Authorization headers. These credentials can then be used to:\n\n- Modify DNS records for any domain managed via Cloudflare/TencentCloud DDNS profiles\n- Send messages as the Slack/Discord/Telegram bot to any configured channel\n- Access any other API the compromised credentials grant access to\n\nThe attack requires high privileges (admin JWT or PAT with appropriate scope), but the impact is amplified because a single API call exposes ALL stored credentials across ALL DDNS profiles and ALL notification webhooks, with no field-level access control separating metadata from secrets.\n\n**Suggested remediation:** Introduce separate response structs (e.g., `DDNSProfileResponse`, `NotificationResponse`) that omit sensitive fields (`AccessSecret`, `WebhookHeaders`, `URL`, `RequestHeader`) from list/read endpoints, or use `json:\"-\"` tags on sensitive fields and provide them only through a dedicated credential-retrieval endpoint with stricter authorization (analogous to the existing `serverConfigSensitiveScope()` pattern).",
  "id": "GHSA-ww5p-j6cj-6mqq",
  "modified": "2026-06-26T23:55:26Z",
  "published": "2026-06-26T23:55:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-ww5p-j6cj-6mqq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nezhahq/nezha"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.