CVE-2026-46717— Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
Possible ATT&CK Techniques 3AI
T1598 · Phishing for Information T1114 · Email Collection T1132 · Data EncodingGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-46717
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
nezhahq nezha 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
nezha是nezhahq组织的一款自托管、轻量级的服务器和网站监控及运维工具。 nezhahq nezha 1.4.0版本至2.0.8之前版本存在安全漏洞,该漏洞源于通知路由通过commonHandler而不是adminHandler处理,导致RoleMember用户可以调用,且处理程序向用户控制的URL发送HTTP请求并在非2xx响应时反射整个响应体,可能导致高保密性影响的未授权访问。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-46717
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7585 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-46717
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-46717 (1)
Same Patch Batch · nezhahq · 2026-06-12 · 13 CVEs total
| CVE-2026-46716 | 9.9 CRITICAL | Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /ap |
| CVE-2026-53519 | 9.1 CRITICAL | Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secr |
| CVE-2026-47120 | 7.1 HIGH | Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTas |
| CVE-2026-48119 | 7.1 HIGH | Nezha Monitoring: Authenticated agents can forge service-monitor results for other users' |
| CVE-2026-49396 | 7.1 HIGH | Nezha Monitoring: Cross-site GET request can trigger stored cron commands on a victim's ag |
| CVE-2026-53523 | 6.8 MEDIUM | Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection |
| CVE-2026-53520 | 6.5 MEDIUM | Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt |
| CVE-2026-53522 | 6.5 MEDIUM | Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS |
| CVE-2026-47124 | 6.5 MEDIUM | Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated mem |
| CVE-2026-53521 | 6.4 MEDIUM | Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's |
| CVE-2026-47268 | 6.4 MEDIUM | Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dash |
| CVE-2026-49397 | 5.3 MEDIUM | Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-s |
IV. Related Vulnerabilities
Same product: nezha
- CVE-2026-53523
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injectio - CVE-2026-53522
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exh - CVE-2026-53521
Nezha Monitoring: Stored future DDNS profile ID allows unaut - CVE-2026-53520
Nezha Monitoring: Authenticated users can claim the dashboar - CVE-2026-53519
Nezha Monitoring: Pre-auth path traversal via /dashboard.. p
Same vendor: nezhahq
- CVE-2026-53523
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injectio - CVE-2026-53522
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exh - CVE-2026-53521
Nezha Monitoring: Stored future DDNS profile ID allows unaut - CVE-2026-53520
Nezha Monitoring: Authenticated users can claim the dashboar - CVE-2026-53519
Nezha Monitoring: Pre-auth path traversal via /dashboard.. p
Same weakness: CWE-863
- CVE-2026-9640
LXD Snapshot Import Privilege Escalation Vulnerability - CVE-2026-54091
File Browser: Incorrect access control in public directory s - CVE-2026-54096
File Browser: Improper Access Control Occurs via Pre-Created - CVE-2026-54573
Authorization Bypass in API Key/OAuth Scopes via Path Parsin - CVE-2026-0934
Incorrect Authorization in GitLab
V. Comments for CVE-2026-46717
No comments yet