EXECUTIVE SUMMARY:
Both security vulnerabilities have been discovered in the Nezha Monitoring dashboard, which is implemented using the github.com/nezhahq/nezha package. The vulnerabilities can be exploited by a low-privilege RoleMember user. The business risk and impact of these vulnerabilities are significant, as they can lead to cross-tenant Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF) attacks. These attacks can result in unauthorized access to sensitive data and potentially allow attackers to execute arbitrary code on the Nezha Monitoring dashboard. CVE-2026-46716 with a CVSS score of 9.9 – This vulnerability occurs when a RoleMember user creates a scheduled cron task with Cover=CronCoverAll, Servers=[], and an arbitrary Command. At every tick of the scheduler, the dashboard pushes the command to every server in the global ServerShared map, including servers that belong to other tenants. This allows a low-privilege user to execute arbitrary code on every server monitored by the Nezha dashboard. CVE-2026-46717 with a CVSS score of 8.5 – This vulnerability occurs when a RoleMember user sends an HTTP request to a user-controlled URL via the dashboard's notification feature. The dashboard synchronously sends the request and reflects the entire response body back to the caller on any non-2xx response. This allows a low-privilege user to read intranet HTTP response bodies via the dashboard's hub.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Both security vulnerabilities have been discovered in the Nezha Monitoring dashboard, which is implemented using the github.com/nezhahq/nezha package. The vulnerabilities can be exploited by a low-privilege RoleMember user. The business risk and impact of these vulnerabilities are significant, as they can lead to cross-tenant Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF) attacks. These attacks can result in unauthorized access to sensitive data and potentially allow attackers to execute arbitrary code on the Nezha Monitoring dashboard. CVE-2026-46716 with a CVSS score of 9.9 – This vulnerability occurs when a RoleMember user creates a scheduled cron task with Cover=CronCoverAll, Servers=[], and an arbitrary Command. At every tick of the scheduler, the dashboard pushes the command to every server in the global ServerShared map, including servers that belong to other tenants. This allows a low-privilege user to execute arbitrary code on every server monitored by the Nezha dashboard. CVE-2026-46717 with a CVSS score of 8.5 – This vulnerability occurs when a RoleMember user sends an HTTP request to a user-controlled URL via the dashboard's notification feature. The dashboard synchronously sends the request and reflects the entire response body back to the caller on any non-2xx response. This allows a low-privilege user to read intranet HTTP response bodies via the dashboard's hub.[emaillocker id="1283"]
RECOMMENDATION:
We strongly recommend you update github.com/nezhahq/nezha to below version: CVE-2026-46716: https://github.com/advisories/GHSA-99gv-2m7h-3hh9 CVE-2026-46717: https://github.com/advisories/GHSA-w4g9-mxgg-j532
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-99gv-2m7h-3hh9
https://github.com/advisories/GHSA-w4g9-mxgg-j532