PatchSiren cyber security CVE debrief
CVE-2026-47120 nezhahq CVE debrief
CVE-2026-47120 is a high-severity vulnerability in Nezha Monitoring, a self-hostable, lightweight monitoring and O&M tool. The issue allows a RoleMember to fire other users' cron tasks via AlertRule.FailTriggerTasks without ownership checks. This vulnerability affects Nezha Monitoring versions from 1.4.0 to before 2.0.8. The issue has been patched in version 2.0.8. The CVSS score for this vulnerability is 7.1, indicating a high severity level. The vulnerability was published on [cvePublishedAt] and has not been modified since then.
- Vendor
- nezhahq
- Product
- nezha
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of Nezha Monitoring, especially those with RoleMember privileges, should be aware of this vulnerability and take immediate action to upgrade to version 2.0.8 or later.
Technical summary
The vulnerability is caused by a lack of ownership checks in the AlertRule.FailTriggerTasks feature, allowing a RoleMember to fire other users' cron tasks. This can lead to unintended actions being performed, potentially causing harm to the system or data.
Defensive priority
High
Recommended defensive actions
- Upgrade Nezha Monitoring to version 2.0.8 or later.
- Review and restrict RoleMember privileges to minimize potential impact.
Evidence notes
The vulnerability is documented in the CVE record [resourceLinkAnnotations:cve-org] and the NVD detail page [resourceLinkAnnotations:nvd]. A security advisory [resourceLinkAnnotations:ref-4] is also available on GitHub.
Official resources
-
CVE-2026-47120 CVE record
CVE.org
-
CVE-2026-47120 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47120 was published on 2026-06-12T22:16:51.100Z and has not been modified since then.