CVE-2026-46716

CRITICAL 9.9

Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron

CVSS Score

9.9

EPSS Score

0.0%

EPSS Percentile

16th

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.4.0 to before version 2.0.8, a RoleMember user can create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.

CWE	CWE-78 CWE-269 CWE-862
Vendor	nezhahq
Product	nezha
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for nezhahq nezha

Be the first to know when new critical vulnerabilities affecting nezhahq nezha are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

nezhahq / nezha

>= 1.4.0, < 2.0.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9