PT-2026-42858 · Unknown · Nezha Monitoring

Published

2026-05-23

·

Updated

2026-06-25

·

CVE-2026-46717

CVSS v3.1

8.5

High

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.7
Description The dashboard allows users with the RoleMember role to access notification routes that should be restricted to administrators. Specifically, the endpoints "POST /api/v1/notification" and "PATCH /api/v1/notification/:id" are processed by commonHandler instead of adminHandler, failing to enforce administrative privileges. These handlers use the Send() function to make synchronous HTTP requests to a user-defined URL. If the request results in a non-2xx response, the entire response body is reflected back to the caller without a size limit. This allows a low-privilege user to read internal network HTTP response bodies via the dashboard hub and potentially cause a denial of service by requesting large internal files that exhaust system memory.
Recommendations Update to version 2.0.8. As a temporary workaround, restrict access to the "POST /api/v1/notification" and "PATCH /api/v1/notification/:id" endpoints to authorized administrators only.

Exploit

Fix

SSRF

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-46717
GHSA-W4G9-MXGG-J532
GO-2026-5687

Affected Products

Nezha Monitoring