PatchSiren cyber security CVE debrief

CVE-2026-46716 nezhahq CVE debrief

A critical vulnerability was discovered in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. The vulnerability allows a RoleMember user to create a scheduled cron task with Cover=CronCoverAll, Servers=[] and an arbitrary Command. At every tick of the scheduler, the dashboard pushes that command to every server in the global ServerShared map — including servers that belong to other tenants (admin's servers, other members' servers). Each agent runs the command and returns the output, which is then sent to the attacker's own NotificationGroup → attacker-controlled webhook. This issue has been patched in version 2.0.8.

Vendor: nezhahq
Product: nezha
CVSS: CRITICAL 9.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-12
Original CVE updated: 2026-06-12
Advisory published: 2026-06-12
Advisory updated: 2026-06-12

Who should care

Administrators and users of Nezha Monitoring, especially those who have not upgraded to version 2.0.8, should be aware of this vulnerability and take immediate action to patch their systems.

Technical summary

The vulnerability has a CVSS score of 9.9 and is classified as CRITICAL. It can be exploited by a RoleMember user to execute arbitrary commands on servers belonging to other tenants. The vulnerability is caused by a lack of proper validation and authorization in the scheduled cron task feature.

Defensive priority

High

Recommended defensive actions

Upgrade Nezha Monitoring to version 2.0.8 or later.
Restrict access to the scheduled cron task feature to authorized users only.
Monitor system logs for suspicious activity.

Evidence notes

The vulnerability was reported by an unknown source and patched in version 2.0.8. The CVE record and NVD detail can be found at [cve-org] and [nvd], respectively. Additional information can be found at [ref-4].

Official resources

public