PT-2026-42859 · Unknown · Nezha Monitoring

Published

2026-05-23

·

Updated

2026-06-25

·

CVE-2026-47120

CVSS v3.1

7.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.7
Description An authenticated user with RoleMember privileges can trigger cron tasks belonging to other users, including administrators. This occurs because the system fails to verify the ownership of cron task IDs provided during the creation or update of alert rules and service monitors. Specifically, the createAlertRule, updateAlertRule, createService, and updateService functions accept FailTriggerTasks and RecoverTriggerTasks variables without validating if the caller owns the specified tasks.
When an alert or service monitor trips, the SendTriggerTasks() function retrieves the tasks from a global registry and executes them via CronTrigger(). If the targeted cron task is configured to run on all servers, the command is executed across every connected agent regardless of the user's permissions.
This issue is reachable via the following API endpoints
  • '/api/v1/alert-rule'
  • '/api/v1/service'
Recommendations Update Nezha Monitoring to version 2.0.8. As a temporary workaround, restrict the use of FailTriggerTasks and RecoverTriggerTasks in alert rules and service monitors until the update is applied.

Exploit

Fix

Missing Authorization

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-47120
GHSA-RXF6-WJH4-JFJ6
GO-2026-5645

Affected Products

Nezha Monitoring