Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.
Published: 2026-06-12
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A privileged RoleMember user can create a scheduled cron task that runs an arbitrary shell command on every server managed by the system, regardless of tenant ownership. The cron task can be configured with no server filter, so the command is dispatched to all servers, including those belonging to other tenants. The resulting command execution grants the attacker full control over every affected host, allowing data exfiltration, persistence, and lateral movement.

Affected Systems

Nezha Monitoring from nezhahq. Versions from 1.4.0 through 2.0.7 are vulnerable; the issue was fixed in version 2.0.8.

Risk and Exploitability

The CVSS score of 9.9 signals a critical severity. EPSS is below 1 %, indicating a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be a REST API call to POST /api/v1/cron, requiring only that the attacker have RoleMember permissions. Once the attacker creates the cron entry, the scheduler automatically pushes the command to all servers and returns the output to an attacker‑controlled webhook, completing the exploitation chain.

Generated by OpenCVE AI on June 12, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nezha Monitoring to version 2.0.8 or later.
  • If an upgrade cannot occur immediately, block the creation of cron tasks with cover=CronCoverAll and an empty server list; enforce that cron tasks are limited to the user’s own tenant’s servers.
  • Reduce RoleMember privileges or remove the RoleMember role from users that do not require it; apply the principle of least privilege to limit access to scheduling functionality.

Generated by OpenCVE AI on June 12, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-99gv-2m7h-3hh9 Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
History

Fri, 12 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.
Title Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron
Weaknesses CWE-269
CWE-78
CWE-862
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T21:00:46.700Z

Reserved: 2026-05-15T23:26:58.310Z

Link: CVE-2026-46716

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T22:16:50.810

Modified: 2026-06-12T22:16:50.810

Link: CVE-2026-46716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-862

    Missing Authorization