HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46716Published Modified CNA GitHub_M

CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A cross-tenant remote code execution vulnerability exists in Nezha Monitoring, a self-hostable server and website monitoring tool. The flaw is reachable over the network by any authenticated low-privilege user (RoleMember) without requiring admin rights or any victim interaction. Successful exploitation lets the attacker run arbitrary shell commands on every connected server across all tenants in the installation, including servers owned by other users and administrators, and exfiltrate the command output to an attacker-controlled webhook. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-46716 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from Nezha Monitoring base layers.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each environment's compliance policy to determine urgency tier. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available
Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a patch is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint (POST /api/v1/cron) is exposed over the network, so an attacker must be able to reach the Nezha dashboard service from a network-accessible path.

  • AuthenticationRequired

    A valid low-privilege RoleMember account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability.

  • Victim interactionNot required

    No victim action is needed; the scheduler automatically pushes the attacker's command to every connected server at each cron tick without any user involvement.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: the attacker simply creates a cron task with CronCoverAll and an arbitrary command, with no race condition or special environmental state required.

Blast Radius

  • Attacker executes arbitrary shell commands on every agent-connected server in the installation, including servers belonging to other tenants and administrators.
  • Full confidentiality loss: the attacker reads any file, environment variable, secret, or credential accessible to the agent process on each target server.
  • Full integrity loss: the attacker modifies, deletes, or plants files and processes on every affected server across all tenants.
  • Command output is exfiltrated to an attacker-controlled webhook via the attacker's own NotificationGroup, enabling persistent data harvesting with no direct network connection needed back to the victim servers.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46716 is active across all connected environments and will match any image running Nezha Monitoring versions 1.4.0 through 2.0.7. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment version 2.0.8 or later is published. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual steps. In the interim, compensating controls worth considering include isolating the Nezha dashboard behind a network policy that restricts access to trusted IP ranges only, requiring strong unique credentials for all RoleMember accounts to reduce the pool of users who can reach the cron API, and reviewing existing cron tasks for signs of CronCoverAll misuse. These controls do not eliminate the vulnerability but reduce exposure until a patch is available.

See how HarborGuard automates this
Affected packages
  • nezhahq / nezha
    >= 1.4.0, < 2.0.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References