PT-2026-42858 · Unknown · Nezha Monitoring
Published
2026-05-23
·
Updated
2026-06-25
·
CVE-2026-46717
CVSS v3.1
8.5
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Nezha Monitoring versions 1.4.0 through 2.0.7
Description
The dashboard allows users with the
RoleMember role to access notification routes that should be restricted to administrators. Specifically, the endpoints "POST /api/v1/notification" and "PATCH /api/v1/notification/:id" are processed by commonHandler instead of adminHandler, failing to enforce administrative privileges. These handlers use the Send() function to make synchronous HTTP requests to a user-defined URL. If the request results in a non-2xx response, the entire response body is reflected back to the caller without a size limit. This allows a low-privilege user to read internal network HTTP response bodies via the dashboard hub and potentially cause a denial of service by requesting large internal files that exhaust system memory.Recommendations
Update to version 2.0.8.
As a temporary workaround, restrict access to the "POST /api/v1/notification" and "PATCH /api/v1/notification/:id" endpoints to authorized administrators only.
Exploit
Fix
SSRF
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nezha Monitoring