CVE-2026-47268
Received Received - Intake
Blind SSRF in Nezha Monitoring via DDNS Webhook Configuration

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-47268
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nezha_monitoring nezha to 2.0.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Nezha Monitoring versions from 0.20.0 up to before 2.0.10. An authenticated user with access to the Nezha dashboard can create or update a DDNS profile to include an arbitrary webhook URL, HTTP method, request body, and headers. When the DDNS is triggered, the dashboard sends the configured HTTP request without the usual SSRF protections. This allows the user to make the dashboard server send HTTP requests to internal or loopback network services, effectively enabling a blind Server-Side Request Forgery (SSRF) attack that can change internal state but does not return the response to the attacker.

Impact Analysis

The vulnerability allows a low-privileged authenticated user to make the Nezha dashboard server send HTTP requests to internal or loopback network services. This can lead to unauthorized internal network interactions, potentially changing internal states or triggering actions within the internal network that the attacker should not have access to. Although the attacker does not receive the response data, the ability to perform these internal requests can be leveraged to manipulate internal services or infrastructure.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Nezha Monitoring to version 2.0.10 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart