CVE-2026-46717
Deferred Deferred - Pending Action

Stored XSS in Nezha Monitoring Dashboard via Notification Routes

Vulnerability report for CVE-2026-46717, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler β€” so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-02
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nezha monitoring From 1.4.0 (inc) to 2.0.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Nezha Monitoring is a self-hostable tool for monitoring servers and websites. In versions from 1.4.0 up to but not including 2.0.8, its dashboard supports two user roles: RoleAdmin and RoleMember. However, the notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are handled by a commonHandler instead of an adminHandler, allowing users with the RoleMember role to call them.

These handlers synchronously send an HTTP request to a URL controlled by the user and then reflect the entire response body back to the caller if the response is not a 2xx status, without any size limit. This behavior can be exploited by RoleMember users to potentially cause issues.

This vulnerability was fixed in version 2.0.8.

Impact Analysis

This vulnerability allows users with limited privileges (RoleMember) to trigger HTTP requests to arbitrary URLs and receive the full response body if the response status is not successful (non-2xx).

Because there is no size limit on the reflected response, this could lead to information disclosure or resource exhaustion on the client side. The CVSS score of 7.7 indicates a high severity impact, particularly on confidentiality.

Mitigation Strategies

To mitigate this vulnerability, upgrade Nezha Monitoring to version 2.0.8 or later, where the issue has been patched.

Compliance Impact

The vulnerability allows a low-privilege user to perform Server-Side Request Forgery (SSRF) attacks, enabling unauthorized access to sensitive internal resources such as admin login pages and AWS IMDSv2 metadata.

This unauthorized access to sensitive data could lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Additionally, the denial-of-service risk due to unbounded memory consumption could impact system availability, which is also a concern under many compliance frameworks.

Detection Guidance

This vulnerability can be detected by monitoring and testing the POST /api/v1/notification and PATCH /api/v1/notification/:id endpoints on the Nezha dashboard for unauthorized SSRF attempts by low-privilege RoleMember users.

Specifically, you can attempt to send crafted HTTP requests as a RoleMember user to these endpoints with URLs pointing to internal or sensitive resources (e.g., internal admin pages or AWS IMDSv2 metadata endpoints) and observe if the full response body is reflected back.

Commands to test this might include using curl to send POST requests with JSON payloads containing URLs to internal resources, for example:

  • curl -X POST -H "Content-Type: application/json" -d '{"url":"http://169.254.169.254/latest/meta-data/"}' http://<nezha-dashboard>/api/v1/notification
  • curl -X PATCH -H "Content-Type: application/json" -d '{"url":"http://internal-admin-page"}' http://<nezha-dashboard>/api/v1/notification/<id>

If the response contains the content of the internal resource or large response bodies are reflected, it indicates the presence of the SSRF vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46717. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart