PatchSiren cyber security CVE debrief
CVE-2026-47268 nezhahq CVE debrief
A blind Server-Side Request Forgery (SSRF) vulnerability was found in Nezha Monitoring, a self-hostable, lightweight tool for monitoring servers and websites. The issue exists from version 0.20.0 up to but not including version 2.0.10. An authenticated user with low privileges can create or update a DDNS profile with a provider webhook. This allows them to configure an arbitrary webhook URL, HTTP method, request body, and headers. When DDNS is triggered for a server using that profile, the dashboard process sends the configured request using utils.HttpClient. This request is sent without the SSRF protections typically used for notification webhooks. As a result, an attacker controlling an owned server or DDNS profile can cause the dashboard host to issue HTTP requests to loopback or internal network services. The response body of these requests is not returned to the attacker, making this a blind SSRF vulnerability that can be used for internal state-changing requests.
- Vendor
- nezhahq
- Product
- nezha
- CVSS
- MEDIUM 6.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Administrators and users of Nezha Monitoring, especially those who have not upgraded to version 2.0.10 or later, should be aware of this vulnerability. An attacker with low privileges and control over a server or DDNS profile could exploit this issue to interact with internal services.
Technical summary
The vulnerability is caused by the lack of SSRF protection when sending HTTP requests configured in a DDNS profile. This allows an authenticated user to make the dashboard host issue requests to internal or loopback services without proper safeguards.
Defensive priority
MEDIUM
Recommended defensive actions
- Upgrade Nezha Monitoring to version 2.0.10 or later to patch the vulnerability.
- Restrict the creation and update of DDNS profiles to high-privileged users.
- Monitor dashboard logs for unusual or unauthorized requests.
Evidence notes
The CVE-2026-47268 record was published on June 12, 2026, and has a CVSS score of 6.4, indicating a medium severity. The vulnerability was patched in version 2.0.10 of Nezha Monitoring.
Official resources
-
CVE-2026-47268 CVE record
CVE.org
-
CVE-2026-47268 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47268 was published on 2026-06-12T22:16:51.390Z.