# [CRIT] [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron **Source:** GitHub Security Advisories **Published:** 2026-05-23 **Article:** https://github.com/advisories/GHSA-99gv-2m7h-3hh9 ## Threat Profile Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron ## Summary `nezha`'s dashboard supports two user roles: `RoleAdmin` (Role==0) and `RoleMember` (Role==1). The cron routes `POST /api/v1/cron` and `PATCH /api/v1/cron/:id` are wired through `commonHandler` (any authenticated user) rather than `adminHandler`, and the per-server permission check on cron creation has a vacuous-true bypass. A `RoleMember` user can create a scheduled cron task with `… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-46716` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1528** — Steal Application Access Token - **T1098.001** — Account Manipulation: Additional Cloud Credentials - **T1053.005** — Scheduled Task - **T1053.005** — Persistence (article-specific) - **T1078** — Valid Accounts - **T1068** — Exploitation for Privilege Escalation - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1003.008** — OS Credential Dumping: /etc/passwd and /etc/shadow - **T1552.005** — Unsecured Credentials: Cloud Instance Metadata API - **T1057** — Process Discovery - **T1071.001** — Application Layer Protocol: Web Protocols ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Nezha CVE-2026-46716 exploit: POST /api/v1/cron with empty servers + CronCoverAll `UC_213_4` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.http_user_agent) as ua values(Web.status) as status values(Web.src) as src from datamodel=Web.Web where Web.http_method=POST AND Web.url="*/api/v1/cron*" AND NOT Web.url="*/api/v1/cron/*" by Web.dest Web.user Web.src Web.url | `drop_dm_object_name(Web)` | where status>=200 AND status<300 | join type=left src [search index=web sourcetype=*proxy* OR sourcetype=*waf* uri_path="/api/v1/cron" method=POST | rex field=_raw "\"servers\"\s*:\s*(?\[[^\]]*\])" | rex field=_raw "\"cover\"\s*:\s*(?\d+)" | where (servers="[]" AND cover="1") | table src cover servers] | where isnotnull(cover) OR isnotnull(servers) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` ### nezha-agent spawning credential-access shell commands on Linux (post-RCE) `UC_213_5` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_name) as proc_name values(Processes.parent_process) as parent_cmdline from datamodel=Endpoint.Processes where (Processes.parent_process_name="nezha-agent" OR Processes.parent_process="*/nezha-agent*" OR (Processes.parent_process_name IN ("sh","bash","dash","zsh") AND Processes.process_path="*/nezha-agent*")) AND (Processes.process="*/etc/shadow*" OR Processes.process="*169.254.169.254*" OR Processes.process="*iam/security-credentials*" OR Processes.process="*metadata.google.internal*" OR Processes.process="*metadata.azure.com*") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName has "nezha-agent" or InitiatingProcessParentFileName has "nezha-agent" | where FileName in~ ("cat","less","more","head","tail","awk","sed","grep","curl","wget","sh","bash","dash","python","python3","perl") | where ProcessCommandLine has_any ( "/etc/shadow", "169.254.169.254", "iam/security-credentials", "metadata.google.internal", "metadata.azure.com", "/computeMetadata/v1", "/latest/meta-data" ) | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, GrandparentImage = InitiatingProcessParentFileName, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256 | order by Timestamp desc ``` ### nezha-agent outbound network connection to cloud instance-metadata service `UC_213_6` · phase: **actions** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.app) as app values(All_Traffic.user) as user from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest="169.254.169.254" by All_Traffic.src All_Traffic.dest All_Traffic.dest_port All_Traffic.app | `drop_dm_object_name(All_Traffic)` | join type=inner src [| tstats summariesonly=t count from datamodel=Endpoint.Processes where (Processes.process_name="nezha-agent" OR Processes.parent_process_name="nezha-agent" OR Processes.parent_process="*nezha-agent*") by Processes.dest Processes.process Processes.process_name | rename Processes.dest as src Processes.process_name as proc_name Processes.process as proc_cmdline] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` ``` **Defender KQL:** ```kql // Two-stage: find IMDS connections, then filter to those whose initiating process chain includes nezha-agent let ImdsHits = DeviceNetworkEvents | where Timestamp > ago(7d) | where RemoteIP == "169.254.169.254" or RemoteUrl has_any ("169.254.169.254", "metadata.google.internal", "metadata.azure.com") | project Timestamp, DeviceId, DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessParentFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName; ImdsHits | where InitiatingProcessFileName has "nezha-agent" or InitiatingProcessParentFileName has "nezha-agent" or InitiatingProcessCommandLine has "nezha-agent" // Catch grandparent chain via process-tree lookup | union ( ImdsHits | join kind=inner ( DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName has "nezha-agent" | project DeviceId, ChildPid=ProcessId, ChildFile=FileName, ChildCmd=ProcessCommandLine, ChildTime=Timestamp ) on DeviceId | where InitiatingProcessId == ChildPid and Timestamp between (ChildTime .. ChildTime + 10m) ) | order by Timestamp desc ``` ### OAuth consent / suspicious app grant `UC_OAUTH_ABUSE` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication.Authentication where Authentication.action="success" AND Authentication.signature IN ( "Consent to application", "Add app role assignment grant to user", "Add OAuth2PermissionGrant", "Add delegated permission grant") by Authentication.user, Authentication.app, Authentication.src, Authentication.signature | `drop_dm_object_name(Authentication)` ``` **Defender KQL:** ```kql CloudAppEvents | where Timestamp > ago(7d) | where ActionType in ("Consent to application.","Add OAuth2PermissionGrant.","Add delegated permission grant.") | project Timestamp, AccountObjectId, AccountDisplayName, ActivityType, ActivityObjects, IPAddress, UserAgent ``` ### Scheduled task created with suspicious image / encoded args `UC_SCHEDULED_TASK` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="schtasks.exe" AND Processes.process="*/create*" AND (Processes.process="*powershell*" OR Processes.process="*cmd.exe*" OR Processes.process="*rundll32*" OR Processes.process="*-enc*" OR Processes.process="*FromBase64*" OR Processes.process="*\Users\Public*" OR Processes.process="*\AppData\*") by Processes.dest, Processes.user, Processes.process, Processes.parent_process_name | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where AccountName !endswith "$" | where FileName =~ "schtasks.exe" | where ProcessCommandLine has "/create" | where ProcessCommandLine has_any ("powershell","cmd.exe","rundll32","-enc","FromBase64","\Users\Public","\AppData\") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on `UC_213_3` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/etc/shadow*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-46716: Nezha Monitoring: RoleMember can run shell on // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/etc/shadow")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-46716` ## Why this matters Severity classified as **CRIT** based on: CVE present, 7 use case(s) fired, 12 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.