External risk intelligence

Nezha Monitoring Cross-Tenant Command Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-46716

Nezha Monitoring, a server management tool, contains a critical vulnerability allowing a user with RoleMember access to execute arbitrary commands across all servers within the system, including those of other tenants. This could lead to widespread system compromise and operational disruption. This issue is resolved in

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-46716

Nezha Monitoring is a self-hosted dashboard and monitoring tool designed to be accessible over the network to manage various servers and websites. As a centralized management and monitoring interface, it is commonly deployed as an internet-facing or network-exposed web application to provide oversight of remote infrastructure.

PCI scan relevance

PCI Relevance for CVE-2026-46716

Yes

CVE-2026-46716 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows a low-privilege user to execute arbitrary commands on all monitored servers, which is an automatic fail for PCI ASV scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in Nezha Monitoring, a tool used for server and website management. Exploitation could allow a user with limited access to execute arbitrary commands across all servers managed by the system, potentially impacting other tenants' infrastructure. This issue has been addressed in version 2.0.8.

Unauthorized command execution across all managed servers.
Impacts other tenants and could disrupt operations.
Confirm relevance; address if deployed.

Attack Path

How an attacker could exploit the issue

An attacker with RoleMember access can create a scheduled cron task that, when executed, pushes an arbitrary command to all servers managed by Nezha Monitoring, including those belonging to other tenants. This command is executed on each agent, and its output is sent back to an attacker-controlled webhook.

Requires RoleMember user access.
Vulnerable cron task creation.
Cross-tenant command execution.

Live Threat

Current exploitation, exposure, and threat context

A RoleMember user could abuse a scheduled cron task to execute arbitrary commands across all servers managed by Nezha Monitoring, including those belonging to other tenants. This could occur when the scheduler ticks, pushing the command to every server in the global ServerShared map. The command's output is then sent to an attacker-controlled webhook.

Arbitrary command execution on managed servers.
Malicious command pushed to all servers.
Widespread system compromise possible.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Nezha Monitoring affects self-hosted instances, placing responsibility on the teams managing the application infrastructure and potentially those responsible for server administration. The first practical step is to inventory all Nezha Monitoring deployments, confirm their network exposure, identify the accountable owner for each instance, and then prioritize remediation based on the business criticality and reachability of the affected servers.

Identify Nezha Monitoring deployment owners.
Verify network exposure and critical assets.
Plan remediation or vendor engagement.

Frequently asked questions

What is Nezha Monitoring?

Nezha Monitoring is a lightweight, self-hosted platform used to oversee the health and performance of servers and websites. It functions as a centralized dashboard where administrators manage infrastructure tasks and track operations. Because it provides a single point of control for multiple servers, it often serves as a unified command hub for teams tracking diverse digital assets.

What does CVE-2026-46716 mean?

This CVE involves a flaw where the system fails to correctly restrict user permissions, categorized under Improper Neutralization of Special Elements used in an OS Command (CWE-78), Improper Privilege Management (CWE-269), and Missing Authorization (CWE-862). Essentially, it allows a user with standard member privileges to bypass security boundaries and force the system to execute arbitrary commands on servers they should not have access to.

How does an attacker trigger this vulnerability?

An attacker needs 'RoleMember' access to the dashboard to create a specific scheduled cron task. By setting the task to target all servers globally, the dashboard automatically pushes the attacker's command to every connected agent. Note that simply having a user account without 'RoleMember' status or failing to configure the task with the specific 'CronCoverAll' setting does not trigger this execution path.

Is my Nezha Monitoring instance at risk?

According to Halo Surface Signal, Nezha Monitoring is typically deployed as an internet-facing or network-exposed application to facilitate remote infrastructure management. If your instance is reachable over the network and you are running a version prior to 2.0.8, it is considered potentially accessible to unauthorized actors, increasing the importance of verifying your deployment status.

What should I do to secure my Nezha Monitoring?

The primary step is to upgrade your Nezha Monitoring software to version 2.0.8 or later, which contains the fix for this vulnerability. You should also audit your current user list to ensure only trusted individuals hold 'RoleMember' permissions and verify the security configuration of your dashboard to limit its network exposure where possible.

References

github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.