Share
## https://sploitus.com/exploit?id=EB69EDD1-C3D3-5A3F-9E11-D9CA3FDA3D91
# CVE-2026-46716 โ Nezha Monitoring Cross-Tenant RCE via Cron API Authorization Bypass
A lab environment for reproducing and detecting **CVE-2026-46716**, a critical vulnerability in Nezha Monitoring where the `POST /api/v1/cron` endpoint lacks admin privilege checks, allowing RoleMember users to achieve cross-tenant remote code execution.
---
## Vulnerability Overview
| Field | Details |
|-------|---------|
| CVE ID | CVE-2026-46716 |
| GHSA | [GHSA-99gv-2m7h-3hh9](https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9) |
| CVSS | 9.9 (Critical) โ `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
| Affected versions | nezhahq/nezha >= 1.4.0, **Note:** If the member account creation API differs from expected, create it manually via the Nezha UI at `http://localhost:8008` (Settings โ Users).
### Step 2 โ Trigger the CVE
```bash
bash scripts/03-trigger-cve.sh
```
**Expected output โ vulnerable (v1.14.14):**
```
HTTP 200 โ Cron created (id: 1)
โ RESULT: ADMIN CHECK BYPASSED โ VULNERABLE
```
**Expected output โ patched:**
```
HTTP 403 โ Access denied
โ RESULT: Admin check enforced โ PATCHED
```
### Step 3 โ Nuclei detection
```bash
# Vulnerable cluster โ should produce a [critical] finding
nuclei -duc -t nuclei/CVE-2026-46716.yaml \
-u http://localhost:8008 \
-var username=admin \
-var password=admin
# Patched cluster โ should produce no findings
nuclei -duc -t nuclei/CVE-2026-46716.yaml \
-u http://localhost:8009 \
-var username=admin \
-var password=admin
```
### Step 4 โ Teardown
```bash
bash scripts/99-teardown.sh
```
---
## Directory Structure
```
nezha-cve-2026-46716-lab/
โโโ README.md
โโโ LAB_SETUP_GUIDE.md # Lab setup guide (English)
โโโ VULNERABILITY_ANALYSIS.md # Code-level vulnerability analysis (English)
โโโ NUCLEI_TEMPLATE_GUIDE.md # Nuclei template design and test results (English)
โโโ docker-compose.yaml
โ
โโโ REPORT/ # Korean reports
โ โโโ LAB_REPORT_KR.md
โ โโโ Nuclei_Template_Report_KR.md
โ โโโ Vulnerability_Analysis_KR.md
โ
โโโ nuclei/
โ โโโ CVE-2026-46716.yaml # Nuclei detection template
โ
โโโ scripts/
โโโ 01-setup.sh # Start containers, create member account
โโโ 03-trigger-cve.sh # PoC: trigger auth bypass, verify result
โโโ 99-teardown.sh # Stop and remove all lab resources
```
---
## Nuclei Template Detection Logic
```
Step 1 POST /api/v1/login (admin credentials)
โ authenticate and extract JWT token
Step 2 GET /api/v1/setting
โ version field matched against vulnerable range (1.4.x โ 1.14.14)
โ match โ FINDING: vulnerable version detected
โ no match (>= 1.14.15 or "debug") โ no finding
```
Both vulnerable and patched versions return HTTP 200 for `POST /api/v1/cron` with
`servers:[], cover:1` โ behavioral detection is not possible. The patch only adds
ownership validation inside CronTrigger at execution time, not at the API level.
Admin credentials are required because `GET /api/v1/setting` returns the `version`
field only for RoleAdmin users.
---
## References
- [GHSA-99gv-2m7h-3hh9](https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9)
- [NVD โ CVE-2026-46716](https://nvd.nist.gov/vuln/detail/CVE-2026-46716)
---
> **Warning:** All credentials in this lab are fake test data for security research purposes only. Never use in production.