CVE-2026-46717
Received Received - Intake
Stored XSS in Nezha Monitoring Dashboard via Notification Routes

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler β€” so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-46717
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nezha monitoring From 1.4.0 (inc) to 2.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Nezha Monitoring is a self-hostable tool for monitoring servers and websites. In versions from 1.4.0 up to but not including 2.0.8, its dashboard supports two user roles: RoleAdmin and RoleMember. However, the notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are handled by a commonHandler instead of an adminHandler, allowing users with the RoleMember role to call them.

These handlers synchronously send an HTTP request to a URL controlled by the user and then reflect the entire response body back to the caller if the response is not a 2xx status, without any size limit. This behavior can be exploited by RoleMember users to potentially cause issues.

This vulnerability was fixed in version 2.0.8.

Impact Analysis

This vulnerability allows users with limited privileges (RoleMember) to trigger HTTP requests to arbitrary URLs and receive the full response body if the response status is not successful (non-2xx).

Because there is no size limit on the reflected response, this could lead to information disclosure or resource exhaustion on the client side. The CVSS score of 7.7 indicates a high severity impact, particularly on confidentiality.

Mitigation Strategies

To mitigate this vulnerability, upgrade Nezha Monitoring to version 2.0.8 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46717. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart