Nezha Monitoring: 13 CVEs Disclosed, Including Critical Command Injection and Path Bypass

Key findings

• 13 CVEs disclosed together for Nezha Monitoring, including two Critical-severity flaws (CVSS 9.1 and 9.9)
• CVE-2026-46716 (CVSS 9.9) lets any RoleMember push arbitrary commands to all agents via cron tasks
• CVE-2026-53519 (CVSS 9.1) bypasses path routing via strings.HasPrefix, exposing internal endpoints
• Multiple authorization gaps allow RoleMember users to escalate privileges or access other users' data
• All vulnerabilities are patched across versions 2.0.8 through 2.2.0; operators should upgrade to 2.2.0
• DDNS profile dangling-reference (CVE-2026-53521) and SSRF (CVE-2026-47268) expand the attack surface

Nezha Monitoring, the open-source, self-hostable servers-and-websites monitoring tool, disclosed 13 distinct security vulnerabilities on June 12, 2026, spanning versions as early as 0.20.0 through the latest 2.2.0 pre-release. The batch includes two Critical-severity flaws (CVE-2026-53519 at CVSS 9.1 and CVE-2026-46716 at CVSS 9.9), five High-severity issues, and six Medium-severity bugs — a cluster that underscores deep-seated authorization and input-validation gaps across the dashboard's API layer, WebSocket handlers, and routing logic.

Critical flaws: command injection and path confusion

The most severe vulnerability, CVE-2026-46716 (CVSS 9.9), allows a low-privileged RoleMember user to create a scheduled cron task with Cover=CronCoverAll and an arbitrary command. At every scheduler tick, the dashboard pushes that command to all connected agents — effectively giving any authenticated member remote code execution across the entire monitored fleet. The second Critical bug, CVE-2026-53519 (CVSS 9.1), lives in the dashboard's NoRoute handler: the fallbackToFrontend function uses strings.HasPrefix to decide whether a raw URL path belongs to the admin frontend, but fails to enforce path-segment boundaries. An attacker can craft a path like /dashboard_other to bypass the intended routing and reach internal endpoints that should be protected.

Authorization bypasses and privilege escalation

Several CVEs expose the same root cause — missing ownership or role checks. CVE-2026-46717 (CVSS 7.7) targets the notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id, which lack any role guard, letting a RoleMember create or modify notifications that should be admin-only. CVE-2026-47120 (CVSS 7.1) lets a RoleMember fire other users' cron tasks via AlertRule.FailTriggerTasks with no ownership verification. CVE-2026-47124 (CVSS 6.5) allows any authenticated non-admin member to connect to the server-status WebSocket and receive telemetry for all servers, including those owned by other users. CVE-2026-53520 (CVSS 6.5) enables authenticated users to claim the dashboard Host through NAT, preempting all dashboard routing.

Agent-side and service-monitor forgeries

CVE-2026-48119 (CVSS 7.1) lets authenticated agents forge service-monitor results for other users' services, corrupting the monitoring data that operators rely on. CVE-2026-49396 (CVSS 7.1) is a cross-site GET request vulnerability that can trigger stored cron commands on a victim's agents — a CSRF-style attack that does not require user interaction beyond visiting a crafted link.

OAuth2 host injection and WebSocket hijacking

CVE-2026-53523 (CVSS 6.8) targets the OAuth2 callback flow: the getRedirectURL function in oauth2.go concatenates the request's Host header with a fixed path without any validation, enabling host-header injection that can redirect tokens to an attacker-controlled server. CVE-2026-53522 (CVSS 6.5) describes two dashboard endpoints — POST /api/v1/terminal and POST /api/v1/ws — that create long-lived WebSocket streams to monitored agents, which can be hijacked under certain conditions.

DDNS profile abuse and private-service enumeration

CVE-2026-53521 (CVSS 6.4) allows a PATCH to /server/{id} to persist a nonexistent ddns_profiles ID for a member-owned server; if another user later creates a DDNS profile with that orphaned ID, the DDNS worker executes against the original server — a classic dangling-reference attack. CVE-2026-47268 (CVSS 6.4) lets an authenticated dashboard user create a DDNS profile with an arbitrary webhook_url, HTTP method, body, and headers, enabling server-side request forgery (SSRF) against internal or external targets. CVE-2026-49397 (CVSS 5.3) exposes private services (EnableShowInService: false) via per-server endpoints, leaking service name and timing data to unauthorized users.

Patch status and version guidance

The Nezha project has addressed the entire batch across a series of releases. The oldest fixes landed in version 2.0.8 (covering CVE-2026-46716, CVE-2026-46717, CVE-2026-47120). Subsequent releases patched the remaining issues: 2.0.9 (CVE-2026-47124), 2.0.10 (CVE-2026-47268), 2.0.12 (CVE-2026-48119), 2.0.13 (CVE-2026-53519), 2.0.14 (CVE-2026-49396, CVE-2026-49397), 2.1.0 (CVE-2026-53520, CVE-2026-53521), and finally version 2.2.0 (CVE-2026-53522, CVE-2026-53523). Operators still running any version prior to 2.2.0 should upgrade immediately; those on the 1.x or early 2.0.x branches are exposed to multiple unpatched attack vectors.

For Nezha users — particularly those managing multi-tenant dashboards where RoleMember accounts are delegated to team members — this disclosure is a strong signal to audit user roles, review cron task configurations, and ensure the dashboard is not exposed to untrusted networks. The concentration of authorization bypasses in the member-to-admin escalation path suggests that the RoleMember boundary should be treated as a weak trust boundary until a comprehensive access-control review is completed.