Threat Advisory

Nezha Dashboard Vulnerability Enables CSRF Attacks

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-49396 with a CVSS score of 7.1 is a cross-site request forgery (CSRF) vulnerability in the Nezha dashboard, specifically affecting versions 1.0.0 to 2.0.13 of the nezha package, which exposes a state-changing GET endpoint for manual cron trigger actions without proper CSRF protection, allowing an attacker to force a logged-in user to trigger an existing cron task by navigating the victim's browser to a crafted URL, thereby gaining the capability to execute a command that the victim is authorized to run, potentially leading to business impact and consequences such as unauthorized execution of sensitive commands on online agents, and requiring the attacker to have knowledge of a valid cron ID owned by the victim and the victim's browser to be logged in to the Nezha dashboard with a valid JWT token, which is sent in the nz-jwt cookie with SameSite set to Lax, allowing the cookie to be included in top-level cross-site GET requests.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-49396 with a CVSS score of 7.1 is a cross-site request forgery (CSRF) vulnerability in the Nezha dashboard, specifically affecting versions 1.0.0 to 2.0.13 of the nezha package, which exposes a state-changing GET endpoint for manual cron trigger actions without proper CSRF protection, allowing an attacker to force a logged-in user to trigger an existing cron task by navigating the victim's browser to a crafted URL, thereby gaining the capability to execute a command that the victim is authorized to run, potentially leading to business impact and consequences such as unauthorized execution of sensitive commands on online agents, and requiring the attacker to have knowledge of a valid cron ID owned by the victim and the victim's browser to be logged in to the Nezha dashboard with a valid JWT token, which is sent in the nz-jwt cookie with SameSite set to Lax, allowing the cookie to be included in top-level cross-site GET requests.[emaillocker id="1283"]

RECOMMENDATION:

We recommend you to update nezha to version 2.0.14.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-8qhj-4f8c-j8qg

[/emaillocker]
crossmenu