CVE-2026-47268

MEDIUM 6.4

Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

13th

Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.

CWE	CWE-918
Vendor	nezhahq
Product	nezha
Published	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for nezhahq nezha

Be the first to know when new medium vulnerabilities affecting nezhahq nezha are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

nezhahq / nezha

>= 0.20.0, < 2.0.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nezhahq/nezha/security/advisories/GHSA-6x26-5727-rrm9