GHSA-ww5p-j6cj-6mqqMediumDisclosed before NVD

Nezha Dashboard: DDNS and Notification credential exposure via unredacted list API

Published
June 26, 2026
Last Modified
June 26, 2026

📋 Description

Summary

The GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram webhook URLs with embedded bot tokens, and Authorization header values — without any field-level redaction. Any authenticated admin who calls these endpoints receives every stored credential in the system in a single API response. A compromised admin session or leaked PAT with nezha:ddns:read or nezha:notification:read scope exposes all third-party integration secrets.

Details

The listDDNS and listNotification handlers follow an identical pattern: they call the corresponding singleton GetSortedList(), copier.Copy the full in-memory structs into a response slice, and return them via listHandler with zero field stripping.

DDNS — cmd/dashboard/controller/ddns.go:25–33:

func listDDNS(c *gin.Context) ([]*model.DDNSProfile, error) {
    var ddnsProfiles []*model.DDNSProfile
    list := singleton.DDNSShared.GetSortedList()
    if err := copier.Copy(&ddnsProfiles, &list); err != nil {
        return nil, err
    }
    return ddnsProfiles, nil
}

The DDNSProfile struct (model/ddns.go:20–36) serializes AccessSecret with json:"access_secret,omitempty" — non-empty Cloudflare tokens and TencentCloud SecretKeys are returned in cleartext. The WebhookURL and WebhookHeaders fields may also contain embedded secrets.

Notification — cmd/dashboard/controller/notification.go:25–33:

func listNotification(c *gin.Context) ([]*model.Notification, error) {
    slist := singleton.NotificationShared.GetSortedList()
    var notifications []*model.Notification
    if err := copier.Copy(&notifications, &slist); err != nil {
        return nil, err
    }
    return notifications, nil
}

The Notification struct (model/notification.go:34–44) serializes URL, RequestHeader, and RequestBody — all of which commonly contain embedded bot tokens (Slack, Discord, Telegram), API keys in Authorization headers, and webhook secrets.

Route and authorization (cmd/dashboard/controller/controller.go:155, 171):

auth.GET("/notification", restScopeMiddleware(model.ScopeNotificationRead), listHandler(listNotification))
auth.GET("/ddns", restScopeMiddleware(model.ScopeDDNSRead), listHandler(listDDNS))

Both routes are behind authMw (JWT or PAT) and the corresponding read scope. The listHandlerfilter chain uses HasPermission (model/common.go:63–82) which grants admins access to ALL profiles and restricts members to their own. No separate response struct or field masking exists anywhere in the codebase — confirmed by exhaustive search for DDNSResponse, DDNSView, NotificationResponse, NotificationView, or any JSON middleware that strips sensitive fields.

The codebase already demonstrates awareness of this pattern: serverConfigSensitiveScope() in cmd/dashboard/controller/api_token_scope.go:117 was introduced to restrict client_secret exposure via GET /server/config/:id, tightening the scope from ScopeServerRead to ScopeServerWrite. No equivalent protection exists for the DDNS or Notification list endpoints.

Tested at commit 3d74cd94 (master, post v2.2.3). The vulnerable pattern has existed since the DDNS and notification list endpoints were introduced.

PoC

  1. Deploy nezha with at least one admin user. Configure a DDNS profile with a Cloudflare API token (AccessSecret) and a Notification webhook pointing to a Slack incoming webhook URL (https://hooks.slack.com/services/T.../B.../xxx...).

  2. Authenticate as the admin user. Call:

    # DDNS credentials exposed
    curl -s -H "Authorization: Bearer <admin_jwt>" \
      https://dashboard.example.com/api/v1/ddns \
      | jq '.data[].access_secret'
    
    # Notification webhook secrets exposed
    curl -s -H "Authorization: Bearer <admin_jwt>" \
      https://dashboard.example.com/api/v1/notification \
      | jq '.data[].url'
    
  3. Observe the full Cloudflare API token, Slack webhook URL with embedded token, and any RequestHeader values (e.g., Authorization: Bearer ...) returned in cleartext.

  4. Alternatively, create a PAT with nezha:ddns:read scope:

    curl -s -H "Authorization: Bearer nzp_<pat_secret>" \
      https://dashboard.example.com/api/v1/ddns \
      | jq '.data[].access_secret'
    

    If the PAT creator is an admin, all DDNS secrets are returned in a single response.

  5. Negative control: A member (non-admin) calling the same endpoints only sees their own profiles due to the HasPermission filter (model/common.go:63–82). However, an admin sees ALL profiles with ALL secrets. The security boundary crossed is the credential confidentiality boundary — a read-only listing endpoint should not return write-capable credentials.

Impact

An attacker who compromises an admin session or obtains a PAT with the appropriate read scope can exfiltrate all third-party API credentials stored in the dashboard — Cloudflare API tokens, TencentCloud SecretKeys, Slack/Discord/Telegram bot tokens, and any secrets embedded in webhook URLs or Authorization headers. These credentials can then be used to:

  • Modify DNS records for any domain managed via Cloudflare/TencentCloud DDNS profiles
  • Send messages as the Slack/Discord/Telegram bot to any configured channel
  • Access any other API the compromised credentials grant access to

The attack requires high privileges (admin JWT or PAT with appropriate scope), but the impact is amplified because a single API call exposes ALL stored credentials across ALL DDNS profiles and ALL notification webhooks, with no field-level access control separating metadata from secrets.

Suggested remediation: Introduce separate response structs (e.g., DDNSProfileResponse, NotificationResponse) that omit sensitive fields (AccessSecret, WebhookHeaders, URL, RequestHeader) from list/read endpoints, or use json:"-" tags on sensitive fields and provide them only through a dedicated credential-retrieval endpoint with stricter authorization (analogous to the existing serverConfigSensitiveScope() pattern).

🎯 Affected products1

  • go/github.com/nezhahq/nezha:< 2.2.5

🔗 References (2)