CVE-2026-47268

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 0.20.0 through 2.0.9

Description An authenticated user with low privileges can perform a blind Server-Side Request Forgery (SSRF) by creating or updating a DDNS profile. By configuring a provider webhook with an arbitrary webhook url, HTTP method, request body, and headers, the user can force the dashboard host to send HTTP requests to loopback or internal network services. This occurs because the utils.HttpClient used in the DDNS process lacks the SSRF protections implemented for notification webhooks. This allows an attacker to probe internal HTTP services or trigger state-changing requests on internal endpoints that trust private network origins. The issue involves the following endpoints:

Technical details indicate that the WebhookURL, WebhookMethod, WebhookRequestType, WebhookRequestBody, and WebhookHeaders variables are copied directly from JSON request bodies into the model.DDNSProfile without validation of the scheme, host, or IP range.

Recommendations Update Nezha Monitoring to version 2.0.10.