CVE-2026-46716
Vulnerability Summary
Timeline
Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.04%• Percentile: 14%
Techniques & Countermeasures
- CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- CWE-269•Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
- CWE-862•Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Affected Systems
- github.com/nezhahq•nezha
≥ 1.4.0, < 1.14.15-0.20260517022419-d7526351cf97
- nezhahq•nezha
≥ 1.4.0, < 2.0.8