CVE-2026-46717: Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /api/v1/notification

May 23, 2026

nezha’s dashboard supports two user roles: RoleAdmin (Role==0) and RoleMember (Role==1). The notification routes POST /api/v1/notification and PATCH /api/v1/notification/:id are wired through commonHandler rather than adminHandler — so a RoleMember user can call them. These handlers synchronously Send() an HTTP request to a user-controlled URL and reflect the entire response body (no size limit) back to the caller on any non-2xx response.

Net effect: a low-privilege RoleMember can read intranet HTTP response bodies via the dashboard’s hub.

References

github.com/advisories/GHSA-w4g9-mxgg-j532
github.com/nezhahq/nezha/commit/d06d539d34c143d842b91e2a64326e8c8f9bc405
github.com/nezhahq/nezha/security/advisories/GHSA-w4g9-mxgg-j532
nvd.nist.gov/vuln/detail/CVE-2026-46717

Code Behaviors & Features

Detect and mitigate CVE-2026-46717 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →