CVE-2026-46716: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nezhahq nezha
Nezha Monitoring versions from 1.4.0 up to but not including 2.0.8 contain a critical OS command injection vulnerability. A user with RoleMember privileges can create a scheduled cron task that executes arbitrary commands on all servers globally, including those belonging to other tenants. This allows the attacker to run commands on multiple servers and receive the output via a webhook they control. The vulnerability has been fixed in version 2.0.8.
AI Analysis
Technical Summary
Nezha Monitoring, a self-hostable server and website monitoring tool, suffers from an OS command injection vulnerability (CVE-2026-46716) in versions 1.4.0 through before 2.0.8. A RoleMember user can schedule a cron task with a specific cover setting that causes the dashboard to push an arbitrary command to all servers in the global ServerShared map, including those of other tenants. Each agent executes the command and returns output to the attacker-controlled notification webhook. This vulnerability allows unauthorized command execution across multiple servers and escalates privileges by bypassing tenant boundaries. The issue is patched in version 2.0.8.
Potential Impact
An attacker with RoleMember privileges can execute arbitrary OS commands on all servers managed by the Nezha Monitoring instance, including servers of other tenants. This leads to complete compromise of confidentiality, integrity, and availability of affected servers. The attacker can exfiltrate command output via their own notification webhook, enabling remote code execution and potential lateral movement within the environment.
Mitigation Recommendations
Upgrade Nezha Monitoring to version 2.0.8 or later, where this vulnerability is patched. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated in the provided data, but the description confirms the fix in 2.0.8.
CVE-2026-46716: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in nezhahq nezha
Description
Nezha Monitoring versions from 1.4.0 up to but not including 2.0.8 contain a critical OS command injection vulnerability. A user with RoleMember privileges can create a scheduled cron task that executes arbitrary commands on all servers globally, including those belonging to other tenants. This allows the attacker to run commands on multiple servers and receive the output via a webhook they control. The vulnerability has been fixed in version 2.0.8.
CVSS v3.1
Score 9.9critical
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Nezha Monitoring, a self-hostable server and website monitoring tool, suffers from an OS command injection vulnerability (CVE-2026-46716) in versions 1.4.0 through before 2.0.8. A RoleMember user can schedule a cron task with a specific cover setting that causes the dashboard to push an arbitrary command to all servers in the global ServerShared map, including those of other tenants. Each agent executes the command and returns output to the attacker-controlled notification webhook. This vulnerability allows unauthorized command execution across multiple servers and escalates privileges by bypassing tenant boundaries. The issue is patched in version 2.0.8.
Potential Impact
An attacker with RoleMember privileges can execute arbitrary OS commands on all servers managed by the Nezha Monitoring instance, including servers of other tenants. This leads to complete compromise of confidentiality, integrity, and availability of affected servers. The attacker can exfiltrate command output via their own notification webhook, enabling remote code execution and potential lateral movement within the environment.
Mitigation Recommendations
Upgrade Nezha Monitoring to version 2.0.8 or later, where this vulnerability is patched. No other mitigations are indicated by the vendor advisory. Patch status is not explicitly stated in the provided data, but the description confirms the fix in 2.0.8.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-15T23:26:58.310Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c7c90e617e2d834c6c7a3
Added to database: 6/12/2026, 9:39:28 PM
Last enriched: 6/12/2026, 9:55:05 PM
Last updated: 6/13/2026, 2:30:31 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.