CVE-2026-47268 - Vulnerability Details

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.

Published: 2026-06-12

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An authenticated user of the Nezha dashboard can create or modify a DDNS profile and specify any webhook URL, HTTP method, body, and headers. The dashboard sends these requests via an internal HTTP client that bypasses the SSRF protections applied to normal notification webhooks. This provides a blind SSRF and internal state‑changing request primitive that allows the attacker to cause the dashboard host to send requests to loopback or internal network services, but the response body is not returned to the attacker. The attack therefore enables internal service interaction but does not provide direct data exfiltration.

Affected Systems

The vulnerability affects Nezha Monitoring from version 0.20.0 up to, but not including, 2.0.10. Versions 2.0.10 and later contain the patch that disables the unsafe webhook configuration pathway.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. The EPSS score is less than 1%, suggesting a low likelihood of exploitation in the near term, and the vulnerability is not listed in CISA KEV. However, the required attacker capability is simply an authenticated dashboard user with permission to configure DDNS profiles, which many users possess. If exploited, the attacker can perform internal network requests that may modify state or trigger side effects on internal services. Prompt patching is recommended to mitigate this risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

nezhahq

nezha

affected

Version	Status	Constraints
`>= 0.20.0, < 2.0.10`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to Nezha version 2.0.10 or later, which removes the unsafe webhook configuration.
Revoke or restrict DDNS webhook configuration permissions for low‑privileged dashboard users to prevent the misuse of the SSRF primitive.
Enforce network controls that block outbound traffic from the dashboard host to loopback or internal IP ranges until the patch is applied.

Generated by OpenCVE AI on June 12, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6x26-5727-rrm9	Nezha's authenticated DDNS webhook configuration allows blind SSRF from the dashboard host

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9

History

Fri, 12 Jun 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.
Title		Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
Weaknesses		CWE-918
References		https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T20:56:45.935Z

Updated: 2026-06-12T20:56:45.935Z

Reserved: 2026-05-18T23:03:37.229Z

Link: CVE-2026-47268

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-12T22:16:51.390

Modified: 2026-06-12T22:16:51.390

Link: CVE-2026-47268

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T22:30:08Z

Weaknesses

CWE-918
Server-Side Request Forgery (SSRF)

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object