Intelligence
criticalVulnerabilityActive

Nezha Monitoring: Authentication Bypass Enables Cross-Tenant RCE via Cron API

Nezha's cron scheduling API routes are protected by common authentication (any logged-in user) rather than admin-only gates, combined with a permission check bypass that allows RoleMembers to execute arbitrary commands on all monitored servers across tenant boundaries.

S
Sebastion

CVE References

CVE-2026-46716

Affected

nezha/dashboard

Vulnerability Description

This is a privilege escalation and authorization bypass vulnerability rooted in two distinct flaws: (1) API endpoint routing misconfiguration that gates cron endpoints (POST /api/v1/cron, PATCH /api/v1/cron/:id) to commonHandler (any authenticated user) instead of adminHandler (admin-only), and (2) a vacuous-truth logic error in per-server permission validation during cron task creation. The vulnerability class is Broken Access Control (CWE-639) combined with Improper Input Validation (CWE-20). Affected versions are commit 50dc8e660326b9f22990898142c58b7a5312b42a and earlier on master branch.

Root Cause & Impact

A RoleMembers user (Role==1) can craft a cron task with Cover=CronCoverAll and Servers=[] (empty array). The permission check fails to reject this configuration because it encounters no servers to validate against—the empty set satisfies any per-server authorization loop vacuously. At scheduler tick intervals, the dashboard broadcasts the attacker's arbitrary command to every server in the global ServerShared map, including servers belonging to other tenants, the admin, and unrelated users. Each agent executes the command and returns output, which routes back to the attacker's NotificationGroup (webhook), granting pre-authenticated, persistent remote code execution across all monitored infrastructure. An attacker with a self-bound OAuth2 account can exploit this without any dashboard-native credentials.

Detection Guidance

Log Indicators:

  • Cron creation/update events from non-admin users (Role==1) via POST/PATCH /api/v1/cron
  • Audit logs showing cron tasks with Cover=CronCoverAll and Servers=[] (empty list)
  • Webhook delivery logs or notification events for cron output from servers the user did not register/own
  • Repeated command execution across multiple servers from a single low-privilege user account within short intervals
  • NotificationGroup updates by RoleMembers pointing to external webhooks

YARA/Detection Rule Concept:

Detect POST /api/v1/cron with JSON body containing:
  - "Cover":"CronCoverAll" OR "Cover":0
  - "Servers":[] (empty array)
  - Non-empty "Command" field
  - Request authenticated as RoleMember (Role==1)

Mitigation Steps

  1. Immediate: Upgrade to patched version (post-50dc8e660326b9f22990898142c58b7a5312b42a)
  2. Route Fix: Change cron endpoints in controller.go from commonHandler to adminHandler
  3. Validation Fix: Implement explicit check: reject cron creation if Cover==CronCoverAll and Servers is empty or missing; validate that at least one server in the task's scope belongs to the requesting user's tenant/group
  4. Temporary Workaround (if patching delayed): Disable cron API access for non-admin users via reverse-proxy rules; restrict NotificationGroup modifications to admins only
  5. Audit: Review all cron tasks in production; delete any with Cover=CronCoverAll and empty Servers lists; audit webhook destinations for anomalies
  6. Monitoring: Enable detailed API audit logging for /api/v1/cron endpoints; alert on cross-tenant resource access patterns

Risk Assessment

Likelihood of Exploitation: Very High. The vulnerability requires only basic knowledge of the API and no complex exploitation techniques—a single HTTP POST request triggers RCE. Exploitation is reliable, works pre-authentication for OAuth2 setups, and leaves audit trails only if logging is enabled and monitored. The precondition (user account with RoleMember role) is easily obtained in multi-tenant SaaS or self-hosted collaborative deployments.

Threat Actor Interest: Critical. Monitoring and infrastructure-as-a-service dashboards are high-value targets; cross-tenant RCE is a crown jewel. Nation-state, ransomware, and insider-threat actors would prioritize this for lateral movement and persistent access. The low exploitation friction means commodity scanning tools will detect and exploit unpatched instances automatically.

Time to Exploitation: Days to weeks from disclosure if patches are not rapidly deployed; expect proof-of-concepts in the wild within 1–2 weeks.

Sources

pocauthentication-bypassauthorization-failurecross-tenant-rceprivilege-escalationcron-abusemulti-tenant-isolation
Back to intelligence