PT-2026-42859 · Unknown · Nezha Monitoring
Published
2026-05-23
·
Updated
2026-06-25
·
CVE-2026-47120
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Nezha Monitoring versions 1.4.0 through 2.0.7
Description
An authenticated user with
RoleMember privileges can trigger cron tasks belonging to other users, including administrators. This occurs because the system fails to verify the ownership of cron task IDs provided during the creation or update of alert rules and service monitors. Specifically, the createAlertRule, updateAlertRule, createService, and updateService functions accept FailTriggerTasks and RecoverTriggerTasks variables without validating if the caller owns the specified tasks.When an alert or service monitor trips, the
SendTriggerTasks() function retrieves the tasks from a global registry and executes them via CronTrigger(). If the targeted cron task is configured to run on all servers, the command is executed across every connected agent regardless of the user's permissions.This issue is reachable via the following API endpoints
- '/api/v1/alert-rule'
- '/api/v1/service'
Recommendations
Update Nezha Monitoring to version 2.0.8.
As a temporary workaround, restrict the use of
FailTriggerTasks and RecoverTriggerTasks in alert rules and service monitors until the update is applied.Exploit
Fix
Missing Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nezha Monitoring