CVE-2026-46717 - Vulnerability Details

- Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.

Published: 2026-06-12

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated RoleMember user can call the POST /api/v1/notification endpoint and trigger the application to send a user‑supplied HTTP request synchronously. The application returns the entire response body for any non‑2xx status code with no size limit, effectively exposing internal or third‑party data to the attacker. This flaw is an SSRF that can be used to read arbitrary resources, potentially leaking sensitive information or causing denial‑of‑service by sending large payloads. Risk is mitigated only by controlling the destination URLs or removing the ability to expose response bodies.

Affected Systems

nezhahq:nezha versions from 1.4.0 up to, but not including, 2.0.8 are affected; these versions expose the notification endpoints to RoleMember users.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. EPSS is below 1%, suggesting low current exploitation probability. The vulnerability is not listed in CISA KEV. The attack vector is web‑based, requiring authentication as a RoleMember; no additional privileges are needed. An attacker who can gain a RoleMember account can target internal services or external systems, reflecting responses back to the user, which can be leveraged for information gathering or internal network probing.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nezhahq

nezha

affected

Version	Status	Constraints
`>= 1.4.0, < 2.0.8`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade nezhahq:nezha to version 2.0.8 or later, which removes the SSRF path for RoleMember users.
Reconfigure the application to route /api/v1/notification endpoints through adminHandler or otherwise restrict RoleMember access to these endpoints.
If an upgrade is pending, restrict the list of allowed destination hosts for notification requests or block internal network ranges to prevent internal SSFR.

Generated by OpenCVE AI on June 12, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w4g9-mxgg-j532	Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/nezhahq/nezha/security/advisories/GHSA-w4g9-mxgg-j532

History

Sat, 13 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. This issue has been patched in version 2.0.8.
Title		Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification
Weaknesses		CWE-863 CWE-918
References		https://github.com/nezhahq/nezha/security/advisories/GHSA-w4g9-mxgg-j532
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T21:02:40.951Z

Updated: 2026-06-13T03:38:33.513Z

Reserved: 2026-05-15T23:26:58.310Z

Link: CVE-2026-46717

Vulnrichment

Updated: 2026-06-13T03:38:25.314Z

NVD

Status : Received

Published: 2026-06-12T22:16:50.957

Modified: 2026-06-13T04:17:27.870

Link: CVE-2026-46717

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T23:30:08Z

Weaknesses

CWE-863
Incorrect Authorization
CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object