CVE-2026-47268— Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1071 · Application Layer Protocol T1598 · Phishing for InformationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-47268
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Nezha Monitoring: Authenticated DDNS webhook configuration allows blind SSRF from the dashboard host
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 0.20.0 to before version 2.0.10, an authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhook_url, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. This issue has been patched in version 2.0.10.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
nezhahq nezha 服务端请求伪造漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nezha Monitering是Nezha Monitoring组织开源的一款自托管、轻量级的服务器和网站监控及运维工具。 nezhahq nezha monitoring 0.20.0版本至2.0.10之前版本存在服务端请求伪造漏洞,该漏洞源于可配置任意webhook_url、HTTP方法、请求体和标头,且未使用SSRF保护,可能导致低权限认证用户通过控制服务器或DDNS配置文件使仪表盘主机向回环或内部网络服务发起HTTP请求,形成盲SSRF或内部状态更改请求基元。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-47268
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-47268
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-47268 (1)
Same Patch Batch · nezhahq · 2026-06-12 · 13 CVEs total
| CVE-2026-46716 | 9.9 CRITICAL | Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /ap |
| CVE-2026-53519 | 9.1 CRITICAL | Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwt_secr |
| CVE-2026-46717 | 7.7 HIGH | Nezha Monitoring: RoleMember-reachable SSRF with full response-body reflection via POST /a |
| CVE-2026-47120 | 7.1 HIGH | Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTas |
| CVE-2026-48119 | 7.1 HIGH | Nezha Monitoring: Authenticated agents can forge service-monitor results for other users' |
| CVE-2026-49396 | 7.1 HIGH | Nezha Monitoring: Cross-site GET request can trigger stored cron commands on a victim's ag |
| CVE-2026-53523 | 6.8 MEDIUM | Nezha Monitoring: OAuth2 Redirect URL — Host Header Injection |
| CVE-2026-53520 | 6.5 MEDIUM | Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt |
| CVE-2026-53522 | 6.5 MEDIUM | Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS |
| CVE-2026-47124 | 6.5 MEDIUM | Nezha WebSocket server stream discloses cross-tenant server telemetry to authenticated mem |
| CVE-2026-53521 | 6.4 MEDIUM | Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's |
| CVE-2026-49397 | 5.3 MEDIUM | Nezha Monitoring: Private services (`EnableShowInService: false`) are enumerable via per-s |
IV. Related Vulnerabilities
Same product: nezha
- CVE-2026-53523
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injectio - CVE-2026-53522
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exh - CVE-2026-53521
Nezha Monitoring: Stored future DDNS profile ID allows unaut - CVE-2026-53520
Nezha Monitoring: Authenticated users can claim the dashboar - CVE-2026-53519
Nezha Monitoring: Pre-auth path traversal via /dashboard.. p
Same vendor: nezhahq
- CVE-2026-53523
Nezha Monitoring: OAuth2 Redirect URL — Host Header Injectio - CVE-2026-53522
Nezha Monitoring: Unbounded WebSocket Streams — Resource Exh - CVE-2026-53521
Nezha Monitoring: Stored future DDNS profile ID allows unaut - CVE-2026-53520
Nezha Monitoring: Authenticated users can claim the dashboar - CVE-2026-53519
Nezha Monitoring: Pre-auth path traversal via /dashboard.. p
Same weakness: CWE-918
- CVE-2026-49345
Mercator CVE Configuration Vulnerable to Server-Side Request - CVE-2026-12726
Awx: automation-controller: awx: github webhook second-order - CVE-2026-49359
PhpWeasyPrint vulnerable to SSRF and local file disclosure v - CVE-2026-11989
Bit integrations <= 2.8.7 - Unauthenticated Server-Side Requ - CVE-2026-4328
Advanced Import: One-Click Demo Import for WordPress <= 1.4.
V. Comments for CVE-2026-47268
No comments yet