HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46717Published Modified CNA GitHub_M

CVE-2026-46717: Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.

Metrics

CVSS v3.1
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a server-side request forgery (SSRF) vulnerability in Nezha Monitoring, a self-hostable server and website monitoring tool. Any authenticated user holding a low-privilege RoleMember account can send a crafted POST request to the notification API endpoint, causing the Nezha dashboard server to make an outbound HTTP request to an attacker-controlled URL and reflect the full response body back to the caller. Successful exploitation lets an attacker read responses from internal network resources that the Nezha host can reach, including cloud metadata services, internal APIs, and other services not exposed to the public internet. No patched version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-46717 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the Nezha Monitoring dashboard. Any image found to carry a vulnerable version of nezhahq/nezha (>=1.4.0, <2.0.8) will surface in the affected-image list for that environment.

Available
Triage

HarborGuard scores this finding at CVSS 7.7 HIGH per the v3.1 vector and weights it against each environment's compliance policy to determine urgency tier and routing. The finding is dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-examines the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment nezhahq/nezha releases a remediated version. In the interim, compensating controls are available: customers can apply network egress policies to restrict outbound HTTP from the Nezha dashboard container, and role-assignment reviews can limit RoleMember account issuance to trusted users only.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Nezha dashboard's HTTP API over the network, as the CVSS vector specifies AV:N (network-accessible attack surface).

  • AuthenticationRequired

    A valid low-privilege RoleMember account is sufficient; no administrative privileges are needed, but unauthenticated access alone does not trigger this path.

  • Victim interactionNot required

    No interaction from another user or administrator is needed; the attacker sends the crafted request directly and the server acts on it immediately.

  • Attack complexityDetail

    Attack complexity is low (AC:L), meaning the exploit is straightforward and repeatable with no race conditions, special memory layout, or other environmental dependencies required.

Blast Radius

  • Reads HTTP responses from internal network hosts and services that the Nezha dashboard server can reach, such as cloud instance metadata endpoints (e.g. 169.254.169.254) or internal microservices.
  • Reads full, unsized response bodies from those internal targets, meaning credentials, tokens, and configuration data returned by internal services are exposed to the attacker.
  • Allows internal network topology enumeration by probing arbitrary IP addresses and ports and observing whether responses are reflected or errors are returned.

How HarborGuard Handles This

Available on HarborGuard: any image running nezhahq/nezha at a version between 1.4.0 and 2.0.8 is flagged as affected, scored at CVSS 7.7 HIGH, and routed to the owning team according to the environment's compliance policy. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger the rebuild-and-PR workflow automatically when nezhahq/nezha publishes a fix; for customers with auto-remediation enabled, that means a rebuilt image, a regression-test run, and a PR opened against affected workloads with no manual intervention required. While no patch is available, recommended compensating controls include applying a Kubernetes NetworkPolicy or equivalent egress filter to block or restrict outbound HTTP connections from the Nezha dashboard container, and auditing RoleMember account assignments to ensure only trusted internal users hold that role.

See how HarborGuard automates this
Affected packages
  • nezhahq / nezha
    >= 1.4.0, < 2.0.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
References