Share
## https://sploitus.com/exploit?id=EB69EDD1-C3D3-5A3F-9E11-D9CA3FDA3D91
# CVE-2026-46716 โ€” Nezha Monitoring Cross-Tenant RCE via Cron API Authorization Bypass

A lab environment for reproducing and detecting **CVE-2026-46716**, a critical vulnerability in Nezha Monitoring where the `POST /api/v1/cron` endpoint lacks admin privilege checks, allowing RoleMember users to achieve cross-tenant remote code execution.

---

## Vulnerability Overview

| Field | Details |
|-------|---------|
| CVE ID | CVE-2026-46716 |
| GHSA | [GHSA-99gv-2m7h-3hh9](https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9) |
| CVSS | 9.9 (Critical) โ€” `AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H` |
| Affected versions | nezhahq/nezha >= 1.4.0,  **Note:** If the member account creation API differs from expected, create it manually via the Nezha UI at `http://localhost:8008` (Settings โ†’ Users).

### Step 2 โ€” Trigger the CVE

```bash
bash scripts/03-trigger-cve.sh
```

**Expected output โ€” vulnerable (v1.14.14):**
```
HTTP 200 โ€” Cron created (id: 1)
โš   RESULT: ADMIN CHECK BYPASSED โ€” VULNERABLE
```

**Expected output โ€” patched:**
```
HTTP 403 โ€” Access denied
โœ“  RESULT: Admin check enforced โ€” PATCHED
```

### Step 3 โ€” Nuclei detection

```bash
# Vulnerable cluster โ†’ should produce a [critical] finding
nuclei -duc -t nuclei/CVE-2026-46716.yaml \
  -u http://localhost:8008 \
  -var username=admin \
  -var password=admin

# Patched cluster โ†’ should produce no findings
nuclei -duc -t nuclei/CVE-2026-46716.yaml \
  -u http://localhost:8009 \
  -var username=admin \
  -var password=admin
```

### Step 4 โ€” Teardown

```bash
bash scripts/99-teardown.sh
```

---

## Directory Structure

```
nezha-cve-2026-46716-lab/
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ LAB_SETUP_GUIDE.md              # Lab setup guide (English)
โ”œโ”€โ”€ VULNERABILITY_ANALYSIS.md       # Code-level vulnerability analysis (English)
โ”œโ”€โ”€ NUCLEI_TEMPLATE_GUIDE.md        # Nuclei template design and test results (English)
โ”œโ”€โ”€ docker-compose.yaml
โ”‚
โ”œโ”€โ”€ REPORT/                         # Korean reports
โ”‚   โ”œโ”€โ”€ LAB_REPORT_KR.md
โ”‚   โ”œโ”€โ”€ Nuclei_Template_Report_KR.md
โ”‚   โ””โ”€โ”€ Vulnerability_Analysis_KR.md
โ”‚
โ”œโ”€โ”€ nuclei/
โ”‚   โ””โ”€โ”€ CVE-2026-46716.yaml         # Nuclei detection template
โ”‚
โ””โ”€โ”€ scripts/
    โ”œโ”€โ”€ 01-setup.sh                 # Start containers, create member account
    โ”œโ”€โ”€ 03-trigger-cve.sh           # PoC: trigger auth bypass, verify result
    โ””โ”€โ”€ 99-teardown.sh              # Stop and remove all lab resources
```

---

## Nuclei Template Detection Logic

```
Step 1  POST /api/v1/login  (admin credentials)
        โ†’ authenticate and extract JWT token

Step 2  GET /api/v1/setting
        โ†’ version field matched against vulnerable range (1.4.x โ€“ 1.14.14)
        โ†’ match  โ†’  FINDING: vulnerable version detected
        โ†’ no match (>= 1.14.15 or "debug")  โ†’  no finding
```

Both vulnerable and patched versions return HTTP 200 for `POST /api/v1/cron` with
`servers:[], cover:1` โ€” behavioral detection is not possible. The patch only adds
ownership validation inside CronTrigger at execution time, not at the API level.
Admin credentials are required because `GET /api/v1/setting` returns the `version`
field only for RoleAdmin users.

---

## References

- [GHSA-99gv-2m7h-3hh9](https://github.com/nezhahq/nezha/security/advisories/GHSA-99gv-2m7h-3hh9)
- [NVD โ€” CVE-2026-46716](https://nvd.nist.gov/vuln/detail/CVE-2026-46716)

---

> **Warning:** All credentials in this lab are fake test data for security research purposes only. Never use in production.