VYPR
← All advisories
High severity7.1NVD Advisory· Published Jun 10, 2026

Nezha has cross-site GET request that can trigger stored cron commands on a victim's agents

CVE-2026-49396

Description

Summary

The dashboard exposes the cron manual-trigger action as an authenticated GET /api/v1/cron/:id/manual endpoint. Dashboard JWTs are sent in the nz-jwt cookie and configured with SameSite=Lax, which browsers include on top-level cross-site GET navigations. Because this state-changing GET endpoint has no CSRF token, origin validation, or fetch-metadata guard, an attacker can cause a logged-in Nezha user to trigger one of their existing cron tasks by navigating the victim's browser to the manual-trigger URL.

If the targeted cron task sends a command to an online agent, the stored command is dispatched to the agent task stream. The attacker cannot create or modify the cron command through this issue alone, but can force execution of a command that the victim already saved and is authorized to run.

Details

Source-to-sink chain:

  1. The dashboard registers the manual cron trigger as a GET route under the authenticated API group: auth.GET("/cron/:id/manual", commonHandler(manualTriggerCron)) at cmd/dashboard/controller/controller.go:131-134.
  2. JWT auth is cookie-enabled: CookieName: "nz-jwt", SendCookie: true, CookieSameSite: http.SameSiteLaxMode, and TokenLookup: "header: Authorization, query: token, cookie: nz-jwt" at cmd/dashboard/controller/jwt.go:23-46.
  3. The handler parses the route ID, loads the cron object, checks only normal object ownership via cr.HasPermission(c), then calls singleton.ManualTrigger(cr) at cmd/dashboard/controller/cron.go:170-187.
  4. ManualTrigger immediately runs CronTrigger(cr)() at service/singleton/crontask.go:249-250.
  5. CronTrigger dispatches the stored command to online eligible agents via s.TaskStream.Send(&pb.Task{Id: cr.ID, Data: cr.Command, Type: model.TaskTypeCommand}) at service/singleton/crontask.go:289-304 after the owner/server check in cronCanSendToServer (service/singleton/crontask.go:315-317).
  6. Object authorization is user ownership/admin only: Common.HasPermission returns true for admins or matching UserID at model/common.go:44-56. There is no CSRF token, Origin/Referer validation, or Fetch Metadata check on this GET action.

False-positive screening:

  • The endpoint is not read-only: the safe proof below observed an in-memory agent stream receiving the command task.
  • The route is authenticated, and the unauthenticated negative control failed with ApiErrorUnauthorized and dispatched no task.
  • SameSite=Lax mitigates cross-site POSTs, but this action uses GET; Lax cookies are still sent on top-level cross-site GET navigations, which is why state-changing GET endpoints remain CSRF-sensitive.
  • The attacker must know or guess a cron ID owned by the victim. IDs are numeric. The issue does not allow creating or editing a command; it forces execution of an existing stored task.
  • The permission check still limits the triggered task to the victim's own task or an admin's task, but CSRF abuses the victim's browser/session to satisfy that check.

PoC

Safe local proof used a Go test overlay only; no repository files were modified for the proof and no real command was executed. The test creates an in-memory SQLite database, a victim user, a victim-owned server with an in-memory fake task stream, and a victim-owned cron task with command text touch /tmp/should-not-run. It then performs two requests:

  1. Negative control: cross-site-style GET without the nz-jwt cookie. Expected result: response contains ApiErrorUnauthorized; zero tasks are dispatched.
  2. Positive proof: cross-site-style GET with the victim's nz-jwt cookie. Expected result: API response succeeds and exactly one task is dispatched to the fake agent stream with Id=7, Type=model.TaskTypeCommand, and Data="touch /tmp/should-not-run".

Command run from a clean checkout of the tested tree:

cat >/tmp/nezha-docs-stub.go <<'EOF'
package docs

var SwaggerInfo = struct {
	Version string
}{Version: "test"}
EOF

cat >/tmp/nezha-cron-csrf-poc-test.go <<'EOF'
package controller

import (
	"context"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
	"time"

	"github.com/gin-gonic/gin"
	"github.com/patrickmn/go-cache"
	"google.golang.org/grpc/metadata"
	"gorm.io/driver/sqlite"
	"gorm.io/gorm"

	"github.com/nezhahq/nezha/model"
	"github.com/nezhahq/nezha/pkg/i18n"
	pb "github.com/nezhahq/nezha/proto"
	"github.com/nezhahq/nezha/service/singleton"
)

type capturedTaskStream struct { tasks []*pb.Task }

func (s *capturedTaskStream) Send(task *pb.Task) error { s.tasks = append(s.tasks, task); return nil }
func (s *capturedTaskStream) Recv() (*pb.TaskResult, error) { return nil, context.Canceled }
func (s *capturedTaskStream) SetHeader(metadata.MD) error { return nil }
func (s *capturedTaskStream) SendHeader(metadata.MD) error { return nil }
func (s *capturedTaskStream) SetTrailer(metadata.MD) {}
func (s *capturedTaskStream) Context() context.Context { return context.Background() }
func (s *capturedTaskStream) SendMsg(any) error { return nil }
func (s *capturedTaskStream) RecvMsg(any) error { return context.Canceled }

func TestCronManualTriggerAcceptsCookieAuthenticatedCrossSiteGET(t *testing.T) {
	gin.SetMode(gin.TestMode)
	db, err := gorm.Open(sqlite.Open("file:cron_csrf_poc?mode=memory&cache=shared"), &gorm.Config{})
	if err != nil { t.Fatal(err) }
	if err := db.AutoMigrate(&model.User{}, &model.Server{}, &model.Cron{}); err != nil { t.Fatal(err) }
	if err := db.Create(&model.User{Common: model.Common{ID: 100}, Username: "victim", Role: model.RoleMember}).Error; err != nil { t.Fatal(err) }
	if err := db.Create(&model.Server{Common: model.Common{ID: 200, UserID: 100}, Name: "victim-agent"}).Error; err != nil { t.Fatal(err) }

	singleton.DB = db
	singleton.Loc = time.UTC
	singleton.Cache = cache.New(time.Minute, time.Minute)
	singleton.Localizer = i18n.NewLocalizer("en_US", "nezha", "translations", i18n.Translations)
	singleton.Conf = &singleton.ConfigClass{Config: &model.Config{ConfigForGuests: model.ConfigForGuests{SiteName: "test"}, JWTSecretKey: "test-secret-for-cron-csrf-poc", JWTTimeout: 1}}
	singleton.ServerShared = singleton.NewServerClass()
	singleton.CronShared = singleton.NewCronClass()
	defer singleton.CronShared.Stop()

	stream := &capturedTaskStream{}
	server, ok := singleton.ServerShared.Get(200)
	if !ok { t.Fatal("server missing from singleton") }
	server.TaskStream = stream

	cronTask := &model.Cron{Common: model.Common{ID: 7, UserID: 100}, Name: "victim cron", TaskType: model.CronTypeCronTask, Command: "touch /tmp/should-not-run", Servers: []uint64{200}, Cover: model.CronCoverIgnoreAll}
	singleton.CronShared.Update(cronTask)

	authMiddleware := initParams()
	if err := authMiddleware.MiddlewareInit(); err != nil { t.Fatal(err) }
	token, _, err := authMiddleware.TokenGenerator(map[string]interface{}{"user_id": "100", "ip": "203.0.113.10"})
	if err != nil { t.Fatal(err) }

	r := gin.New()
	r.Use(func(c *gin.Context) { c.Set(model.CtxKeyRealIPStr, "203.0.113.10"); c.Next() })
	auth := r.Group("", authMiddleware.MiddlewareFunc())
	auth.GET("/api/v1/cron/:id/manual", commonHandler(manualTriggerCron))

	wNoCookie := httptest.NewRecorder()
	reqNoCookie := httptest.NewRequest(http.MethodGet, "/api/v1/cron/7/manual", nil)
	reqNoCookie.Header.Set("Origin", "https://attacker.example")
	reqNoCookie.Header.Set("Sec-Fetch-Site", "cross-site")
	r.ServeHTTP(wNoCookie, reqNoCookie)
	if !strings.Contains(wNoCookie.Body.String(), "ApiErrorUnauthorized") { t.Fatalf("expected unauthenticated control to fail, got status=%d body=%s", wNoCookie.Code, wNoCookie.Body.String()) }
	if len(stream.tasks) != 0 { t.Fatalf("unauthenticated control dispatched %d task(s)", len(stream.tasks)) }

	w := httptest.NewRecorder()
	req := httptest.NewRequest(http.MethodGet, "/api/v1/cron/7/manual", nil)
	req.Header.Set("Origin", "https://attacker.example")
	req.Header.Set("Sec-Fetch-Site", "cross-site")
	req.AddCookie(&http.Cookie{Name: "nz-jwt", Value: token})
	r.ServeHTTP(w, req)

	var resp struct { Success bool `json:"success"`; Error string `json:"error"` }
	if err := json.Unmarshal(w.Body.Bytes(), &resp); err != nil { t.Fatalf("decode response: %v body=%s", err, w.Body.String()) }
	if !resp.Success { t.Fatalf("manual trigger failed: status=%d body=%s", w.Code, w.Body.String()) }
	if len(stream.tasks) != 1 { t.Fatalf("expected one dispatched task, got %d", len(stream.tasks)) }
	dispatched := stream.tasks[0]
	if dispatched.Id != 7 || dispatched.Type != model.TaskTypeCommand || dispatched.Data != "touch /tmp/should-not-run" { t.Fatalf("unexpected dispatched task: id=%d type=%d data=%q", dispatched.Id, dispatched.Type, dispatched.Data) }
}
EOF

cat >/tmp/nezha-overlay-cron-csrf.json <<'EOF'
{
  "Replace": {
    "/path/to/nezha/cmd/dashboard/docs/docs.go": "/tmp/nezha-docs-stub.go",
    "/path/to/nezha/cmd/dashboard/controller/cron_csrf_poc_test.go": "/tmp/nezha-cron-csrf-poc-test.go"
  }
}
EOF
# Replace /path/to/nezha above with the local checkout path, then run:
go test -vet=off -overlay=/tmp/nezha-overlay-cron-csrf.json ./cmd/dashboard/controller -run TestCronManualTriggerAcceptsCookieAuthenticatedCrossSiteGET -count=1 -v

Observed output in this environment:

=== RUN   TestCronManualTriggerAcceptsCookieAuthenticatedCrossSiteGET
--- PASS: TestCronManualTriggerAcceptsCookieAuthenticatedCrossSiteGET (0.00s)
PASS
ok  	github.com/nezhahq/nezha/cmd/dashboard/controller	0.019s

The -vet=off flag was only needed because this checkout lacks the generated cmd/dashboard/docs directory and Go vet still tries to chdir into the overlay-created package directory. The overlay includes a minimal docs package stub so the controller package can compile without generating Swagger files.

Cleanup:

rm -f /tmp/nezha-docs-stub.go /tmp/nezha-cron-csrf-poc-test.go /tmp/nezha-overlay-cron-csrf.json

Impact

A remote attacker can cause a logged-in dashboard user to trigger an existing cron task by making the user's browser navigate to /api/v1/cron//manual. If that cron task dispatches an agent command, the command is sent to the victim's online agent without the victim intentionally clicking the manual trigger in the dashboard.

Security impact is integrity and availability:

  • Integrity: forced execution of a stored command on victim-controlled agents.
  • Availability: forced execution of disruptive stored tasks, repeated task starts, or repeated notifications/offline failure paths.
  • Confidentiality: not directly demonstrated; the PoC does not show data exfiltration.

Suggested remediation

  • Make manual cron triggering a non-idempotent method such as POST /api/v1/cron/:id/manual instead of GET.
  • Require a CSRF token for cookie-authenticated state-changing requests, or reject unsafe cross-site requests with Origin/Referer and Fetch Metadata validation.
  • Consider not accepting JWTs from cookies for state-changing API calls unless a CSRF token is present.
  • Add a regression test that sends a cross-site-style GET with a valid cookie and asserts no cron task is dispatched.
  • If frontend compatibility requires cookies, keep SameSite=Lax or stricter, but do not rely on it to protect state-changing GET routes.

Affected products

1

Patches

3
4ec4d73069f0

fix(fm): switch create FM session to POST to defeat CSRF

https://github.com/nezhahq/nezhaNezha DevMay 26, 2026Fixed in 2.0.14via ghsa-release-walk
commit
2 files changed · +2 2
  • cmd/dashboard/controller/controller.go+1 1 modified
    @@ -84,7 +84,7 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 	auth.POST("/terminal", commonHandler(createTerminal))
 	auth.GET("/ws/terminal/:id", commonHandler(terminalStream))
 
-	auth.GET("/file", commonHandler(createFM))
+	auth.POST("/file", commonHandler(createFM))
 	auth.GET("/ws/file/:id", commonHandler(fmStream))
 
 	auth.GET("/profile", commonHandler(getProfile))
  • cmd/dashboard/controller/fm.go+1 1 modified
    @@ -24,7 +24,7 @@ import (
 // @Param id query uint true "Server ID"
 // @Produce json
 // @Success 200 {object} model.CreateFMResponse
-// @Router /file [get]
+// @Router /file [post]
 func createFM(c *gin.Context) (*model.CreateFMResponse, error) {
 	idStr := c.Query("id")
 	id, err := strconv.ParseUint(idStr, 10, 64)
10327f345b14

fix(cron): switch manual trigger to POST to defeat CSRF

https://github.com/nezhahq/nezhaNezha DevMay 26, 2026Fixed in 2.0.14via ghsa-release-walk
commit
3 files changed · +107 2
  • cmd/dashboard/controller/controller.go+1 1 modified
    @@ -135,7 +135,7 @@ func routers(r *gin.Engine, frontendDist fs.FS) {
 	auth.GET("/cron", listHandler(listCron))
 	auth.POST("/cron", commonHandler(createCron))
 	auth.PATCH("/cron/:id", commonHandler(updateCron))
-	auth.GET("/cron/:id/manual", commonHandler(manualTriggerCron))
+	auth.POST("/cron/:id/manual", commonHandler(manualTriggerCron))
 	auth.POST("/batch-delete/cron", commonHandler(batchDeleteCron))
 
 	auth.GET("/ddns", listHandler(listDDNS))
  • cmd/dashboard/controller/cron.go+1 1 modified
    @@ -166,7 +166,7 @@ func updateCron(c *gin.Context) (any, error) {
 // @param id path uint true "Task ID"
 // @Produce json
 // @Success 200 {object} model.CommonResponse[any]
-// @Router /cron/{id}/manual [get]
+// @Router /cron/{id}/manual [post]
 func manualTriggerCron(c *gin.Context) (any, error) {
 	idStr := c.Param("id")
 	id, err := strconv.ParseUint(idStr, 10, 64)
  • cmd/dashboard/controller/cron_manual_csrf_test.go+105 0 added
    @@ -0,0 +1,105 @@
+package controller
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/patrickmn/go-cache"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+
+	"github.com/nezhahq/nezha/model"
+	"github.com/nezhahq/nezha/pkg/i18n"
+	"github.com/nezhahq/nezha/service/singleton"
+)
+
+func setupCronManualTriggerFixture(t *testing.T) {
+	t.Helper()
+
+	originalDB := singleton.DB
+	originalCache := singleton.Cache
+	originalLoc := singleton.Loc
+	originalLocalizer := singleton.Localizer
+	originalCron := singleton.CronShared
+	originalServer := singleton.ServerShared
+	originalUserInfo := singleton.UserInfoMap
+	db, err := gorm.Open(sqlite.Open(":memory:"), &gorm.Config{})
+	require.NoError(t, err)
+	require.NoError(t, db.AutoMigrate(&model.Cron{}, &model.Server{}, &model.User{}))
+
+	singleton.DB = db
+	singleton.Loc = time.UTC
+	singleton.Cache = cache.New(time.Minute, time.Minute)
+	singleton.Localizer = i18n.NewLocalizer("en_US", "nezha", "translations", i18n.Translations)
+	singleton.CronShared = singleton.NewCronClass()
+	singleton.ServerShared = singleton.NewServerClass()
+	singleton.UserLock.Lock()
+	singleton.UserInfoMap = map[uint64]model.UserInfo{100: {Role: model.RoleMember}}
+	singleton.UserLock.Unlock()
+
+	cr := &model.Cron{
+		Common:   model.Common{ID: 7, UserID: 100},
+		Name:     "victim cron",
+		TaskType: model.CronTypeCronTask,
+		Command:  "echo csrf-poc",
+		Cover:    model.CronCoverIgnoreAll,
+	}
+	require.NoError(t, db.Create(cr).Error)
+	singleton.CronShared.Update(cr)
+
+	t.Cleanup(func() {
+		singleton.DB = originalDB
+		singleton.Cache = originalCache
+		singleton.Loc = originalLoc
+		singleton.Localizer = originalLocalizer
+		singleton.CronShared = originalCron
+		singleton.ServerShared = originalServer
+		singleton.UserLock.Lock()
+		singleton.UserInfoMap = originalUserInfo
+		singleton.UserLock.Unlock()
+	})
+}
+
+func newCronManualRouter() *gin.Engine {
+	gin.SetMode(gin.TestMode)
+	r := gin.New()
+	r.Use(func(c *gin.Context) {
+		c.Set(model.CtxKeyAuthorizedUser, &model.User{
+			Common: model.Common{ID: 100},
+			Role:   model.RoleMember,
+		})
+		c.Next()
+	})
+	r.POST("/api/v1/cron/:id/manual", commonHandler(manualTriggerCron))
+	return r
+}
+
+func TestCronManualTriggerRejectsCrossSiteGET(t *testing.T) {
+	setupCronManualTriggerFixture(t)
+	r := newCronManualRouter()
+
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodGet, "/api/v1/cron/7/manual", nil)
+	req.Header.Set("Origin", "https://attacker.example")
+	req.Header.Set("Sec-Fetch-Site", "cross-site")
+	r.ServeHTTP(w, req)
+
+	assert.Equal(t, http.StatusNotFound, w.Code, "manual trigger must reject cross-site GET — the route is POST-only after the CSRF fix")
+}
+
+func TestCronManualTriggerAcceptsSameSitePOST(t *testing.T) {
+	setupCronManualTriggerFixture(t)
+	r := newCronManualRouter()
+
+	w := httptest.NewRecorder()
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/cron/7/manual", nil)
+	r.ServeHTTP(w, req)
+
+	success, errMsg := decodeCommonResponseError(t, w.Body.Bytes())
+	assert.True(t, success, "owner POST must succeed: error=%q", errMsg)
+}
0fbe48d9950e

fix(service): hide EnableShowInService=false services from sideband endpoints

https://github.com/nezhahq/nezhaNezha DevMay 26, 2026Fixed in 2.0.14via ghsa-release-walk
commit
3 files changed · +72 3
  • cmd/dashboard/controller/permissions.go+16 0 modified
    @@ -35,6 +35,22 @@ func userCanViewServer(c *gin.Context, server *model.Server) bool {
 	return !server.HideForGuest
 }
 
+func userCanViewService(c *gin.Context, service *model.Service) bool {
+	if service == nil {
+		return false
+	}
+	if service.EnableShowInService {
+		return true
+	}
+	if callerIsAdmin(c) {
+		return true
+	}
+	if _, isMember := c.Get(model.CtxKeyAuthorizedUser); isMember {
+		return service.HasPermission(c)
+	}
+	return false
+}
+
 func assertOwnsNotificationGroup(c *gin.Context, groupID uint64) error {
 	if groupID == 0 {
 		return nil
  • cmd/dashboard/controller/service.go+8 3 modified
    @@ -130,9 +130,8 @@ func getServiceHistory(c *gin.Context) (*model.ServiceHistoryResponse, error) {
 		return nil, err
 	}
 
-	// 检查服务是否存在
 	service, ok := singleton.ServiceSentinelShared.Get(serviceID)
-	if !ok || service == nil {
+	if !ok || service == nil || !userCanViewService(c, service) {
 		return nil, singleton.Localizer.ErrorT("service not found")
 	}
 
@@ -285,7 +284,13 @@ func listServerServices(c *gin.Context) ([]*model.ServiceInfos, error) {
 		return nil, singleton.Localizer.ErrorT("unauthorized: only 1d data available for guests")
 	}
 
-	services := singleton.ServiceSentinelShared.GetSortedList()
+	allServices := singleton.ServiceSentinelShared.GetSortedList()
+	services := make([]*model.Service, 0, len(allServices))
+	for _, s := range allServices {
+		if userCanViewService(c, s) {
+			services = append(services, s)
+		}
+	}
 
 	var result []*model.ServiceInfos
  • cmd/dashboard/controller/service_visibility_test.go+48 0 added
    @@ -0,0 +1,48 @@
+package controller
+
+import (
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/nezhahq/nezha/model"
+)
+
+func newServiceVisibilityCtx(viewer *model.User) *gin.Context {
+	gin.SetMode(gin.TestMode)
+	c, _ := gin.CreateTestContext(httptest.NewRecorder())
+	if viewer != nil {
+		c.Set(model.CtxKeyAuthorizedUser, viewer)
+	}
+	return c
+}
+
+func TestUserCanViewServiceVisibleServiceIsPublic(t *testing.T) {
+	visible := &model.Service{Common: model.Common{ID: 1, UserID: 100}, EnableShowInService: true}
+	assert.True(t, userCanViewService(newServiceVisibilityCtx(nil), visible), "guest must see EnableShowInService=true regardless of owner")
+}
+
+func TestUserCanViewServiceHiddenServiceRejectsGuest(t *testing.T) {
+	hidden := &model.Service{Common: model.Common{ID: 1, UserID: 100}, EnableShowInService: false}
+	assert.False(t, userCanViewService(newServiceVisibilityCtx(nil), hidden), "guest must NOT see hidden service via per-server / per-id sideband endpoints")
+}
+
+func TestUserCanViewServiceHiddenServiceRejectsForeignMember(t *testing.T) {
+	hidden := &model.Service{Common: model.Common{ID: 1, UserID: 100}, EnableShowInService: false}
+	foreign := &model.User{Common: model.Common{ID: 200}, Role: model.RoleMember}
+	assert.False(t, userCanViewService(newServiceVisibilityCtx(foreign), hidden), "foreign member must NOT see another user's hidden service")
+}
+
+func TestUserCanViewServiceHiddenServiceAllowsOwner(t *testing.T) {
+	hidden := &model.Service{Common: model.Common{ID: 1, UserID: 100}, EnableShowInService: false}
+	owner := &model.User{Common: model.Common{ID: 100}, Role: model.RoleMember}
+	assert.True(t, userCanViewService(newServiceVisibilityCtx(owner), hidden), "owner must still see their own hidden service")
+}
+
+func TestUserCanViewServiceHiddenServiceAllowsAdmin(t *testing.T) {
+	hidden := &model.Service{Common: model.Common{ID: 1, UserID: 100}, EnableShowInService: false}
+	admin := &model.User{Common: model.Common{ID: 1}, Role: model.RoleAdmin}
+	assert.True(t, userCanViewService(newServiceVisibilityCtx(admin), hidden), "admin must be able to see any hidden service")
+}

Vulnerability mechanics

Root cause

"The dashboard exposes a state-changing cron manual-trigger action as a GET endpoint without sufficient CSRF protection."

Attack vector

An attacker can trick a logged-in Nezha dashboard user into navigating their browser to a crafted URL. This URL targets the `/api/v1/cron/:id/manual` endpoint, which accepts JWTs via the `nz-jwt` cookie. Because the `SameSite=Lax` cookie is sent on top-level cross-site GET navigations, the request is authenticated. The endpoint lacks origin validation or CSRF tokens, allowing the attacker to trigger an existing cron task owned by the victim [ref_id=1]. The attacker must know or guess the cron task ID.

Affected code

The vulnerability lies in the `auth.GET("/cron/:id/manual", commonHandler(manualTriggerCron))` route registration within `cmd/dashboard/controller/controller.go` [ref_id=1]. JWT authentication is configured to accept cookies via `nz-jwt` with `SameSite=Lax` [ref_id=1]. The `manualTriggerCron` handler proceeds to execute the cron task via `singleton.ManualTrigger(cr)` in `cmd/dashboard/controller/cron.go` and `service/singleton/crontask.go` without adequate security checks [ref_id=1].

What the fix does

The suggested remediation advises making the manual cron trigger a non-idempotent method like POST, requiring a CSRF token for state-changing requests, or implementing Origin/Referer and Fetch Metadata validation. It also suggests considering not accepting JWTs from cookies for state-changing API calls unless a CSRF token is present. These measures would prevent unauthenticated or malicious requests from triggering cron tasks [ref_id=1].

Preconditions

  • authThe victim must be logged into the Nezha dashboard.
  • inputThe attacker must know or guess a valid cron task ID owned by the victim.

Reproduction

The provided PoC demonstrates this vulnerability by setting up a test environment with a victim user, a cron task, and an in-memory task stream. It then performs two requests: a negative control without the `nz-jwt` cookie, which fails with `ApiErrorUnauthorized`, and a positive proof with the `nz-jwt` cookie, which successfully triggers the cron task and dispatches a command to the agent stream [ref_id=1]. The PoC code is provided in the reference [ref_id=1].

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.