How is CVE-2026-47120 exploited?

Network reachability (required): The AlertRule.FailTriggerTasks endpoint is exposed over the network, so the attacker must be able to reach the Nezha Monitoring service via HTTP/S. Authentication (required): A valid low-privilege account with the RoleMember role is sufficient; no administrative credentials are needed. Victim interaction (not-required): The attacker sends the malicious API request directly; no action from another user is needed to trigger the vulnerability. Attack complexity (info): Exploitation is straightforward and condition-free; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-47120?

The attacker fires cron tasks owned by any other user, executing whatever commands or scripts those tasks contain without the owner's consent. Unauthorized task execution can modify server state, alter monitored targets, or disrupt scheduled O&M operations (integrity impact is high). Repeated or bulk task firing can degrade service availability for legitimate users by exhausting task execution resources or interfering with monitoring schedules (availability impact is low). No confidential data is directly exposed through this vulnerability; the confidentiality impact is none.

Back to search

HIGHCVE-2026-47120Published 2026-06-12Modified 2026-06-15CNA GitHub_M

CVE-2026-47120: Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check). This issue has been patched in version 2.0.8.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A missing ownership check in Nezha Monitoring allows an authenticated low-privilege user (RoleMember) to trigger cron tasks belonging to other users via the AlertRule.FailTriggerTasks API endpoint. The vulnerability is reachable over the network and requires no victim interaction, only a valid low-privilege account. Successful exploitation lets the attacker execute arbitrary cron tasks owned by other users, enabling unauthorized task execution and limited disruption of monitored systems. A patched-image rebuild at version 2.0.8 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-47120 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Nezha Monitoring. Any image containing a nezhahq/nezha release between 1.4.0 and 2.0.8 is flagged automatically.

Available

Triage

Triage is available with the recorded CVSS 3.1 score of 7.1 (HIGH) applied to each matched image; per-environment compliance policy weighting can escalate or filter the finding based on the sensitivity of the workload. Routed alerts are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

A patched-image rebuild at version 2.0.8 is available on HarborGuard for any environment found running an affected release. For customers who opt into auto-remediation, HarborGuard will rebuild the image, run a regression test suite, and open a PR against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The AlertRule.FailTriggerTasks endpoint is exposed over the network, so the attacker must be able to reach the Nezha Monitoring service via HTTP/S.
AuthenticationRequired
A valid low-privilege account with the RoleMember role is sufficient; no administrative credentials are needed.
Victim interactionNot required
The attacker sends the malicious API request directly; no action from another user is needed to trigger the vulnerability.
Attack complexityDetail
Exploitation is straightforward and condition-free; no race conditions or special environmental factors are required.

Blast Radius

The attacker fires cron tasks owned by any other user, executing whatever commands or scripts those tasks contain without the owner's consent.
Unauthorized task execution can modify server state, alter monitored targets, or disrupt scheduled O&M operations (integrity impact is high).
Repeated or bulk task firing can degrade service availability for legitimate users by exhausting task execution resources or interfering with monitoring schedules (availability impact is low).
No confidential data is directly exposed through this vulnerability; the confidentiality impact is none.

How HarborGuard Handles This

Available on HarborGuard: images containing nezhahq/nezha versions 1.4.0 through 2.0.7 are matched against CVE-2026-47120 at ingest time, and a patched rebuild at version 2.0.8 is made available immediately. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests, and opens a PR against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the triage queue with the CVSS 7.1 HIGH score and recommended remediation step of upgrading to 2.0.8. As a compensating control in the interim, network policy rules can be used to restrict access to the Nezha Monitoring API to trusted internal IP ranges, reducing the pool of principals who can authenticate as RoleMember and reach the vulnerable endpoint.

See how HarborGuard automates this

Affected packages

nezhahq / nezha
>= 1.4.0, < 2.0.8

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

References

https://github.com/nezhahq/nezha/security/advisories/GHSA-rxf6-wjh4-jfj6

Metrics

Get notified