CVE-2026-47120: CWE-862: Missing Authorization in nezhahq nezha
Nezha Monitoring versions from 1.4.0 up to but not including 2.0.8 contain a missing authorization vulnerability. A user with RoleMember privileges can trigger cron tasks owned by other users via the AlertRule.FailTriggerTasks feature without ownership verification. This issue has been addressed in version 2.0.8.
AI Analysis
Technical Summary
CVE-2026-47120 describes a missing authorization vulnerability (CWE-862) in Nezha Monitoring, a self-hostable monitoring tool. Specifically, from versions 1.4.0 to before 2.0.8, users assigned the RoleMember role can invoke cron tasks belonging to other users through the AlertRule.FailTriggerTasks functionality without proper ownership checks. This flaw allows unauthorized task execution, impacting integrity and availability. The vulnerability was fixed in version 2.0.8.
Potential Impact
The vulnerability allows a user with limited privileges (RoleMember) to execute cron tasks of other users without authorization. This can lead to unauthorized actions being performed, potentially disrupting operations or causing unintended side effects. The CVSS score of 7.1 indicates a high severity with network attack vector, low attack complexity, and no user interaction required. Confidentiality is not impacted, but integrity is high and availability is low impacted.
Mitigation Recommendations
Upgrade Nezha Monitoring to version 2.0.8 or later, where this missing authorization vulnerability has been patched. There is no official vendor advisory provided here, but the fix is explicitly stated in the description. Until upgrading, restrict RoleMember privileges or avoid using AlertRule.FailTriggerTasks if possible.
CVE-2026-47120: CWE-862: Missing Authorization in nezhahq nezha
Description
Nezha Monitoring versions from 1.4.0 up to but not including 2.0.8 contain a missing authorization vulnerability. A user with RoleMember privileges can trigger cron tasks owned by other users via the AlertRule.FailTriggerTasks feature without ownership verification. This issue has been addressed in version 2.0.8.
CVSS v3.1
Score 7.1high
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47120 describes a missing authorization vulnerability (CWE-862) in Nezha Monitoring, a self-hostable monitoring tool. Specifically, from versions 1.4.0 to before 2.0.8, users assigned the RoleMember role can invoke cron tasks belonging to other users through the AlertRule.FailTriggerTasks functionality without proper ownership checks. This flaw allows unauthorized task execution, impacting integrity and availability. The vulnerability was fixed in version 2.0.8.
Potential Impact
The vulnerability allows a user with limited privileges (RoleMember) to execute cron tasks of other users without authorization. This can lead to unauthorized actions being performed, potentially disrupting operations or causing unintended side effects. The CVSS score of 7.1 indicates a high severity with network attack vector, low attack complexity, and no user interaction required. Confidentiality is not impacted, but integrity is high and availability is low impacted.
Mitigation Recommendations
Upgrade Nezha Monitoring to version 2.0.8 or later, where this missing authorization vulnerability has been patched. There is no official vendor advisory provided here, but the fix is explicitly stated in the description. Until upgrading, restrict RoleMember privileges or avoid using AlertRule.FailTriggerTasks if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T19:50:18.694Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c7c90e617e2d834c6c7a9
Added to database: 6/12/2026, 9:39:28 PM
Last enriched: 6/12/2026, 9:54:42 PM
Last updated: 6/13/2026, 4:26:51 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.