CVE-2026-46717: Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /…

Summary nezha's dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rathe…

8.5CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-46717
Vendor	go
Affected Product	github.com/nezhahq/nezha
Vulnerability Type	Vulnerability
CVSS Score	8.5 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

Summary nezha's dashboard supports two user roles: `RoleAdmin` (Role==0) and `RoleMember` (Role==1). The notification routes `POST /api/v1/notification` and `PATCH /api/v1/notification/:id` are wired through `commonHandler` rather than `adminHandler` — so a `RoleMember` user can call them. These handlers synchronously `Send()` an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response. Net effect: a low-privilege `RoleMember` can read intranet HTTP response bodies via the dashboard's hub.

Affected versions Commit `50dc8e660326b9f22990898142c58b7a5312b42a` and earlier on `master`.

Reachability chain ```

cmd/dashboard/controller/controller.go:121-122 auth.GET("/notification", listHandler(listNotification

🎯 Known Indicators of Compromise

{"type":"sha1","value":"50dc8e660326b9f22990898142c58b7a5312b42a","confidence_score":0.9,"first_seen":"2026-05-23","source_count":1}

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-46717 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →