Nezha Monitoring: RoleMember can run shell on every server (cross-tenant...

9.9 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.

AI Analysis

Cross-tenant remote code execution vulnerability in Nezha Monitoring via scheduled cron task

Basic Information

ID CVE-2026-46716

Source GitHub_M

Published Jun 12, 2026 at 21:00

Affected Product

Vendor nezhahq

Product nezha

Version >= 1.4.0, < 2.0.8

Affected Versions nezhahq nezha >= 1.4.0, < 2.0.8

CWE Classification

CWE-78 CWE-269 CWE-862

AI Assessment

AI Score 9.9 / 10

AI Severity Critical

Vendor nezhahq

Product Nezha Monitoring

Version 1.4.0 to 2.0.8

References

github.com /nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9

{
    "lastseen": "",
    "description": "Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map \u2014 including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup \u2192 attacker-controlled webhook. This issue has been patched in version 2.0.8.",
    "published": "2026-06-12T21:00:46.700Z",
    "modified": "2026-06-12T21:00:46.700Z",
    "type": "cve",
    "title": "Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron",
    "source": "GitHub_M",
    "references": "https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9",
    "id": "CVE-2026-46716",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78",
        "CWE-269",
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "nezhahq nezha >= 1.4.0, < 2.0.8",
    "sourceHref": "",
    "cvss": {
        "score": 9.9,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nezha",
    "version": ">= 1.4.0, < 2.0.8",
    "vendor": "nezhahq",
    "ai_description": "Cross-tenant remote code execution vulnerability in Nezha Monitoring via scheduled cron task",
    "ai_severity": "Critical",
    "ai_vendor": "nezhahq",
    "ai_product": "Nezha Monitoring",
    "ai_version": "1.4.0 to 2.0.8",
    "ai_score": 9.9
}

Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron_CVE-2026-46716