Summary Any authenticated non-admin member can connect to the server-status WebSocket and receive telemetry for all servers, including servers owned by other users. The normal server list API filters objects by "HasPermission", but the WebSocket stream treats the presence of any authenticated user as authorization for the full unfiltered server list. Details The server WebSocket route is registered under the optional-auth group in "cmd/dashboard/controller/controller.go:71-73": optionalAuth := api.Group("", optionalAuthMw) optionalAuth.GET("/ws/server", commonHandler(serverStream)) "serverStream" treats any "CtxKeyAuthorizedUser" as a member, without checking admin role or per-server ownership, in "cmd/dashboard/controller/ws.go:123-139": u, isMember := c.Get(model.CtxKeyAuthorizedUser) var userId uint64 if isMember { userId = u.(*model.User).ID } ... stat, err := getServerStat(count == 0, isMember) The authorization boolean is then used as a full/guest switch in "getServerStat" in "cmd/dashboard/controller/ws.go:160-184": if authorized { serverList = singleton.ServerShared.GetSortedList() } else { serverList = singleton.ServerShared.GetSortedListForGuest() } ... servers = append(servers, model.StreamServer{ ID: server.ID, Name: server.Name, PublicNote: utils.IfOr(withPublicNote, server.PublicNote, ""), DisplayIndex: server.DisplayIndex, Host: utils.IfOr(authorized, server.Host, server.Host.Filter()), State: server.State, CountryCode: countryCode, LastActive: server.LastActive, }) For authenticated members, "GetSortedList()" returns all servers and "server.Host" is not filtered. There is no call to "server.HasPermission(c)". The streamed response model in "model/server_api.go:5-20" includes server ID/name, public note, host details, runtime state, country code, last active time, and global online count. Host and state fields include platform version, agent version, CPU/GPU names, memory/disk/swap totals, architecture, virtualization, boot time, CPU load, memory/disk/swap usage, network transfer/speed, uptime, TCP/UDP/process counts, temperatures, and GPU utilization, as defined in "model/host.go:20-38" and "model/host.go:100-112". The normal list endpoint has the expected object-level authorization. "GET /api/v1/server" is registered with "listHandler" in "cmd/dashboard/controller/controller.go:113", and "listHandler" filters each returned object with "HasPermission" in "cmd/dashboard/controller/controller.go:263-291": filtered := filter(c, data) ... return slices.DeleteFunc(s, func(e E) bool { return !e.HasPermission(ctx) }) The shared permission model in "model/common.go:44-56" allows admins to see all objects but restricts members to objects whose "UserID" matches their user ID: if user.Role == RoleAdmin { return true } return user.ID == c.UserID Mitigations checked: - Guests receive "GetSortedListForGuest()" and "Host.Filter()" output, but authenticated members bypass both guest restrictions. - "HideForGuest" only affects unauthenticated guests, not members. - The normal "/api/v1/server" list endpoint uses "listHandler" and is not affected in the same way. - No owner/admin filter is applied in the WebSocket path. Candidate score: 12/14 - Reachability: 2, default WebSocket API - Attacker control: 1, attacker controls authentication state and connection - Privilege required: 1, authenticated member - Sink impact: 2, cross-tenant sensitive telemetry disclosure - Mitigation weakness: 2, no object-level auth in the WebSocket path - Default exposure: 2, endpoint is part of default dashboard - Safe PoC feasibility: 2, can be verified with local users/servers or statically Exploitability gate: statically confirmed - Reachable source: "GET /api/v1/ws/server" - Default/common configuration: dashboard API exposed by default - Missing/bypassed mitigation: member-vs-guest check replaces object-level authorization - Impact-bearing sink: WebSocket response includes unfiltered all-server telemetry - Safe proof: static source-to-sink proof; full runtime test blocked locally by unavailable Go 1.26 toolchain - Affected version evidence: confirmed at commit "85b0dd2992733037b019442caffc6c049ba937dd" ("v2.0.7-1-g85b0dd2") - Variant review: normal server list endpoint and guest filtering were checked PoC Static local PoC steps: 1. Start Nezha with two non-admin users and at least one server assigned to each user. 2. Authenticate as user A. 3. Connect to the WebSocket endpoint with user A's token, for example: GET /api/v1/ws/server HTTP/1.1 Host: 127.0.0.1:8008 Cookie: nz-jwt=<user-a-token> Upgrade: websocket Connection: Upgrade 4. Observe that the JSON messages contain entries for all servers from "singleton.ServerShared.GetSortedList()", including servers whose "UserID" does not match user A. 5. Compare with "GET /api/v1/server" using the same token; that route is filtered through "listHandler"/"HasPermission" and should only return user A's own servers. Cleanup: no persistent state is created by the WebSocket connection. Local dynamic confirmation note: the full project test/runtime could not be executed in this audit environment because the repository requires Go 1.26 and the local toolchain reported "go: download go1.26 for linux/amd64: toolchain not available". Impact This is an authenticated horizontal information disclosure. A low-privileged member can continuously monitor other users' server inventory and live telemetry, including host platform details, agent versions, CPU/GPU details, resource usage, traffic counters, country code, and last-active timestamps. This may expose infrastructure composition, usage patterns, and operational state across tenants. Suggested remediation Apply object-level authorization in "getServerStat" for authenticated non-admin users. For each server in the stream, include it only if the current user is admin or "server.UserID" matches the authenticated user. Keep guest filtering and host redaction for unauthenticated users.