CVE Catalog

CVE-2026-46717

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.37%

29th percentile - higher than 29% of all known CVEs

Summary

Nezha Monitoring is a tool for monitoring servers and websites, which in versions from 1.4.0 to before 2.0.8 allows users with the RoleMember role to make unauthorized HTTP requests. As a result, users can send requests to URLs they control and receive responses, creating a risk of data exposure.

Risk Assessment

The organization may be vulnerable to SSRF (Server-Side Request Forgery) attacks, which could lead to the exposure of sensitive information or allow attackers access to internal network resources.

Recommendation

It is recommended to update Nezha Monitoring to version 2.0.8 or later to mitigate this vulnerability. Additionally, it is advisable to review and restrict the permissions of users with the RoleMember role.

Original NVD description (English source)

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS