{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/nezhahq/nezha"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.14"
            },
            {
              "fixed": "2.1.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53521"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-26T23:02:37Z",
    "nvd_published_at": "2026-06-12T22:16:52Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n`PATCH /server/{id}` accepts and persists nonexistent `ddns_profiles` IDs for a member-owned server. If another user later creates a DDNS profile with one of those IDs, the DDNS worker resolves the stored ID and dispatches an update using the other user\u0027s DDNS profile configuration in the context of the attacker\u0027s server.\n\nThis is a second-order authorization bypass: direct binding to an existing foreign DDNS profile is correctly denied, but an unresolved future ID can be stored first and later becomes a live cross-user reference.\n\n## Affected versions\n\nConfirmed on:\n\n- Nezha `v2.0.14`\n- Commit: `8b5e382fe217107c7b777ea9c6b4bc3d2e156202`\n\nThe exact affected version range was not determined.\n\n## Impact\n\nA normal member who owns a server can prebind one or more future DDNS profile IDs to that server. If another user later creates a DDNS profile with a matching ID, the dashboard DDNS worker can use the victim\u0027s DDNS profile/provider configuration for the attacker\u0027s server.\n\nIn the validated worker path, the dispatched DDNS update combines:\n\n- the victim DDNS profile ID and owner\n- the victim profile\u0027s provider type\n- victim profile fields such as domains, access ID, access secret, and retry policy\n- attacker server context, including the attacker\u0027s server ID, owner, IPv4 address, and override DDNS domains\n\nThis can result in unauthorized DDNS update attempts using another user\u0027s DDNS profile context. The attacker does not need permission to bind the victim profile after it exists.\n\nThe following were not validated: credential disclosure, account takeover, or guaranteed external DNS modification across all providers. The credentials remain server-side in the worker path. The downstream DNS impact depends on the victim profile\u0027s provider configuration and what that provider account is authorized to update.\n\n## Affected components\n\n- `PATCH /server/{id}`\n- `cmd/dashboard/controller/server.go`\n- `service/singleton/singleton.go`\n- `service/singleton/ddns.go`\n- `service/singleton/server.go`\n- `pkg/ddns/ddns.go`\n\n## Root cause\n\nThe server update path validates submitted DDNS profile IDs through `CheckPermission`, but that check only rejects existing objects owned by another user. Nonexistent IDs are skipped.\n\nThe `updateServer` path then persists the submitted raw IDs into `DDNSProfilesRaw`, along with override domain data. Later, the DDNS worker resolves the stored profile IDs by ID and dispatches provider updates without revalidating that the resolved profiles belong to the server owner.\n\nAs a result, an invalid unresolved reference can become a valid cross-user reference after another user creates a DDNS profile with the same global auto-increment ID.\n\n## Reproduction summary\n\nThe behavior was validated locally with focused regression tests.\n\n### Controller chain proof\n\nTest file:\n\n`cmd/dashboard/controller/ddns_second_order_test.go`\n\nTest name:\n\n`TestUpdateServerAllowsFutureDDNSProfileBindingThenResolvesVictimProfile`\n\nCommand:\n\n```bash\ngo test ./cmd/dashboard/controller -run TestUpdateServerAllowsFutureDDNSProfileBindingThenResolvesVictimProfile -count=1\n```\n\nResult:\n\n`pass`\n\nThe test demonstrates:\n\n1. A normal member owns server `1`.\n2. DDNS profile ID `1` does not exist.\n3. The member updates their server with `enable_ddns=true` and `ddns_profiles=[1]`.\n4. The request succeeds.\n5. The server persists `DDNSProfiles=[1]`.\n6. Another user later creates a DDNS profile and receives ID `1`.\n7. A fresh attempt by the attacker to bind profile `1` is correctly denied.\n8. The previously stored reference remains active and resolves in the DDNS worker path.\n\n### Provider-level worker proof\n\nTest file:\n\n`service/singleton/ddns_worker_authz_test.go`\n\nTest name:\n\n`TestUpdateDDNSDispatchesVictimProfileForAttackerServer`\n\nCommand:\n\n```bash\ngo test ./service/singleton -run TestUpdateDDNSDispatchesVictimProfileForAttackerServer -count=1\n```\n\nResult:\n\n`pass`\n\nThe test proves that the DDNS worker does not merely resolve the victim profile. It dispatches a DDNS update using the victim profile configuration and attacker server context.\n\nValidated assertions include:\n\n- resolved profile ID is `1`\n- resolved profile owner is victim user `200`\n- processed server is attacker server `1` owned by user `100`\n- provider type is the victim profile\u0027s provider\n- victim profile fields are present in worker dispatch:\n  - domains\n  - access ID\n  - access secret\n  - max retries\n- attacker server context is present in the same dispatch:\n  - IPv4 `198.51.100.44`\n- attacker-controlled override domains are passed to the worker:\n  - `attacker-controlled.example`\n\n## Practicality\n\nThe attack requires predicting or prebinding future DDNS profile IDs. This limits severity, but does not remove the authorization issue.\n\nEvidence supporting practicality:\n\n- DDNS profile IDs are `uint64` GORM primary keys from `model/common.go`.\n- `createDDNS` uses a normal `DB.Create(\u0026p)` flow and returns `p.ID`.\n- `DDNSProfiles` is an unbounded `[]uint64` in `model/server_api.go`.\n- No length or existence validation is applied in `updateServer`.\n- Invalid/future IDs are preserved in the server record.\n- Stored unresolved IDs survive reload.\n- Range prebinding was validated with `[1,2,3,4]`.\n- The DDNS worker consumes stored IDs on future DDNS update events.\n- Worker dispatch can occur after server edit and agent IP-change events.\n- Each DDNS update can retry according to the victim profile\u0027s `MaxRetries`.\n\nThis makes the issue semi-practical: exploitation depends on future ID prediction or range prebinding, but the unresolved IDs persist and can become active later.\n\n## Expected behavior\n\n`PATCH /server/{id}` should reject any submitted DDNS profile ID that does not both:\n\n1. exist, and\n2. belong to the caller or the owner of the server being updated.\n\nThe DDNS worker should also avoid trusting stored profile IDs without revalidating ownership before provider resolution or dispatch.\n\n## Actual behavior\n\n`PATCH /server/{id}` accepts nonexistent DDNS profile IDs and persists them. If another user later creates a DDNS profile with a matching ID, the stored reference resolves to that user\u0027s profile and is consumed by the DDNS worker for the attacker\u0027s server.\n\n## Suggested remediation\n\nApply both bind-time and worker-time validation.\n\nAt bind time:\n\n- Reject nonexistent DDNS profile IDs.\n- Reject DDNS profile IDs that do not belong to the caller/server owner.\n- Reject or limit excessive DDNS profile ID lists if range prebinding is not intended.\n\nAt worker time:\n\n- Revalidate that every resolved DDNS profile still belongs to the owner of the server being processed.\n- Skip or remove stale, nonexistent, or foreign DDNS profile references before provider dispatch.\n\nSuggested regression tests:\n\n- `TestUpdateServerRejectsNonexistentDDNSProfileIDs`\n- `TestUpdateServerRejectsForeignDDNSProfileIDs`\n- `TestUpdateServerAcceptsOwnedDDNSProfileIDs`\n- `TestUpdateDDNSSkipsStaleOrForeignStoredDDNSProfiles`\n\n## Security relevance\n\nA direct bind to an existing foreign DDNS profile is already denied, which shows the intended ownership boundary. The issue is that the same boundary can be bypassed by storing a future unresolved ID before the victim profile exists.\n\nThe worker later treats the stored ID as trusted and dispatches a DDNS update using the victim profile\u0027s provider configuration with attacker server context. This is an authorization issue in a deferred worker path, not merely malformed input.\n\n## Limitations\n\n- The attacker does not read victim DDNS credentials through the validated path.\n- Exploitation may require predicting or prebinding future global auto-increment DDNS profile IDs.\n- The downstream DNS impact depends on the victim profile\u0027s provider configuration.\n- External DNS modification was not claimed as guaranteed across all providers.",
  "id": "GHSA-39g2-8x68-pmx8",
  "modified": "2026-06-26T23:02:37Z",
  "published": "2026-06-26T23:02:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nezhahq/nezha/security/advisories/GHSA-39g2-8x68-pmx8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53521"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nezhahq/nezha"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user\u0027s DDNS profile context"
}