CVE-2026-49396: Nezha Monitoring: Cross-site GET request can trigger stored cron commands on a victim's agents
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-site GET request can trigger stored cron commands on a victim's agents. This issue has been patched in version 2.0.14.
Metrics
- CVSS v3.1
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a cross-site request forgery (CSRF) vulnerability in Nezha Monitoring, a self-hostable server and website monitoring tool. An unauthenticated remote attacker can craft a malicious GET request that, when loaded by a logged-in victim's browser, triggers stored cron commands to execute on the victim's connected agents. Successful exploitation lets an attacker tamper with scheduled tasks running on monitored servers and cause service disruption. A patched-image rebuild at version 2.0.14 is available on HarborGuard for affected environments.
HarborGuard Coverage
Detection of CVE-2026-49396 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle Nezha Monitoring in the affected version range (1.0.0 to before 2.0.14).
AvailableHarborGuard scores this CVE at 7.1 HIGH using the CVSS v3.1 vector and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild pinned to Nezha Monitoring 2.0.14 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard can perform the rebuild, run regression tests, and open a pull request against affected workloads automatically.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker delivers the malicious GET request over the network, so the victim's browser must be able to reach the Nezha Monitoring interface.
- AuthenticationNot required
No credentials are needed; the attacker crafts a link that leverages the victim's existing authenticated session.
- Victim interactionRequired
The attack succeeds only if a logged-in Nezha Monitoring user clicks or loads the attacker-controlled link, making social engineering a necessary step.
- Attack complexityDetail
The exploit is reliable and condition-free once the victim loads the request; no race conditions or special environmental factors are required.
Blast Radius
- Stored cron commands are executed on the victim's connected monitoring agents without the legitimate administrator's intent.
- An attacker modifies the scheduling or content of automated tasks running on monitored servers.
- Disruption of monitoring agents or the tasks they manage can degrade visibility into server and service health.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-49396 is active across all customer registries and pipelines, matching images that package Nezha Monitoring in the affected range against the advisory. A patched-image rebuild at version 2.0.14 is available for any environment where an affected image is found. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, execute regression tests, and open a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation-enabled environments is around 90 minutes. Where compliance policy requires manual approval, findings are surfaced with CVSS context and routed to the appropriate team for review and action.
- nezhahq / nezha>= 1.0.0, < 2.0.14
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L