CVE-2026-47268 is a medium-severity server-side request forgery (SSRF) vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 0.20.0, < 2.0.10. It is fixed in 2.0.10.
Summary An authenticated Nezha dashboard user can create or update a DDNS profile with provider webhook and configure an arbitrary webhookurl, HTTP method, request body, and headers. When DDNS is triggered for a server that uses that profile, the dashboard process sends the configured request with utils.HttpClient without the SSRF protections used by notification webhooks. This allows a low-privileged authenticated user who controls an owned server/DDNS profile to make the dashboard host issue HTTP requests to loopback or internal network services. The response body is not returned to the attacker in the confirmed path, so this is a blind SSRF / internal state-changing request primitive. Details The DDNS API is available to authenticated users, not only administrators: cmd/dashboard/controller/controller.go:137 registers GET /api/v1/ddns. cmd/dashboard/controller/controller.go:139 registers POST /api/v1/ddns. cmd/dashboard/controller/controller.go:140 registers PATCH /api/v1/ddns/:id. The create and update handlers copy attacker-controlled webhook fields directly from JSON request bodies into model.DDNSProfile: cmd/dashboard/controller/ddns.go:47-74 accepts model.DDNSForm and stores WebhookURL, WebhookMethod, WebhookRequestType, WebhookRequestBody, and WebhookHeaders. cmd/dashboard/controller/ddns.go:112-145 updates the same fields after profile ownership is checked. model/ddnsapi.go:11-15 exposes these fields as JSON input. model/ddns.go:28-33 stores these fields on the persisted profile. Users can attach owned DDNS profiles to owned servers, and DDNS updates are triggered in common server update and agent IP-reporting paths: cmd/dashboard/controller/server.go:63-83 checks DDNS profile ownership, then stores EnableDDNS, DDNSProfiles, and OverrideDDNSDomains on an owned server. service/singleton/server.go:44-58 calls UpdateDDNS when a server with DDNS enabled is updated. service/rpc/nezha.go:247-279 calls UpdateDDNS when an authenticated agent reports a changed IP. The DDNS provider dispatcher instantiates the webhook provider when Provider == "webhook": service/singleton/ddns.go:58-95, especially service/singleton/ddns.go:79-81. The sink is the DDNS webhook provider: pkg/ddns/webhook/webhook.go:49-65 prepares and sends the HTTP request with utils.HttpClient.Do(req). pkg/ddns/webhook/webhook.go:85-100 formats and applies attacker-controlled headers. pkg/ddns/webhook/webhook.go:91-92 creates the request with the configured method and URL. pkg/ddns/webhook/webhook.go:117-134 parses the configured URL and only formats query parameters; it does not restrict scheme, host, IP range, or redirects. pkg/ddns/webhook/webhook.go:137-158 builds attacker-controlled request bodies for POST/PATCH/PUT. The project already contains SSRF defenses for notification webhooks, showing the expected mitigation pattern is absent from the DDNS webhook path: model/notification.go:34-58 defines blocked private/reserved CIDRs. model/notification.go:193-221 creates a notification HTTP client that resolves and pins a validated IP and disables redirects. model/notification.go:229-263 only allows http/https, requires a hostname, resolves all addresses, and rejects disallowed IPs. model/notification.go:265-276 rejects blocked ranges and non-global-unicast targets. Equivalent validation was not found in pkg/ddns/webhook/webhook.go. Safe local PoC Environment: Repository: https://github.com/nezhahq/nezha.git Commit tested: 05e5da2535197fc223b79601d50eeea362dcf853 Tag at commit: v2.0.9 Module: github.com/nezhahq/nezha Go version: go1.26.3 linux/amd64 Testing scope: local-only; loopback HTTP listener and fake local UDP DNS SOA server only. A temporary same-package test was created and removed automatically after execution. It used a local httptest listener as the internal service and a local UDP DNS server that returned an SOA for example.com.. The test then executed the normal DDNS update pipeline with a webhook DDNS profile pointing at the loopback HTTP listener. Command run: Observed output: A lower-level provider-only confirmation was also run with go test ./pkg/ddns/webhook -run TestLocalPoCDDNSWebhookReachesLoopback -v and observed: Cleanup: Both temporary PoC test files were removed by shell trap. find . -path './.git' -prune -o \( -name 'ssrflocalpoctest.go' -o -name 'ddnsssrflocalpoc_test.go' \) -print returned no files. Impact An authenticated dashboard user can cause the Nezha dashboard process to send arbitrary HTTP requests to services reachable from the dashboard host, including loopback and private network targets. The confirmed path allows attacker-controlled method, URL path/query, headers, and request body. Potential impacts depend on deployment and reachable internal services, but include: Blind probing of internal HTTP services from the dashboard network location. Triggering state-changing internal endpoints that trust localhost or private network origins. Reaching services not exposed to the attacker directly. Interaction with cloud metadata or control-plane endpoints if reachable and not otherwise protected. The response body is not returned to the attacker in the confirmed code path, so this should not be described as direct arbitrary internal file/secret read without an additional response-disclosure primitive.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-47268 has a CVSS score of 6.4 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (2.0.10). Upgrading removes the vulnerable code path.
go
github.com/nezhahq/nezha (>= 0.20.0, < 2.0.10)github.com/naiba/nezha (>= 0.20.0)github.com/nezhahq/nezha → 2.0.10 (go)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-47268 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-47268 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-47268 in your environment →Upgrade github.com/nezhahq/nezha to 2.0.10 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-47268 is a medium-severity server-side request forgery (SSRF) vulnerability in github.com/nezhahq/nezha (go), affecting versions >= 0.20.0, < 2.0.10. It is fixed in 2.0.10. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
CVE-2026-47268 has a CVSS score of 6.4 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
github.com/nezhahq/nezha (go) (versions >= 0.20.0, < 2.0.10)github.com/naiba/nezha (go) (versions >= 0.20.0)Yes. CVE-2026-47268 is fixed in 2.0.10. Upgrade to this version or later.
Whether CVE-2026-47268 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade github.com/nezhahq/nezha to 2.0.10 or later.