Description
Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize `../` sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details. Version 0.18.4 fixes the issue.
Published: 2026-02-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

Beszel is a server monitoring platform. Prior to version 0.18.2 its authenticated API endpoints pass the user‑supplied "container" query parameter to the agent without validation. Because the agent uses the raw value when forming Docker Engine API URLs, an authenticated user—including those with a read‑only role—can inject "../" sequences to traverse to arbitrary Docker API endpoints on the agent host. This path traversal flaw (CWE‑22) allows an attacker to access sensitive infrastructure details, such as container configurations and logs, and potentially perform actions exposed by the Docker API.

Affected Systems

The vulnerability affects the Beszel platform released by henrygd. All releases earlier than 0.18.2 are impacted; the issue was fixed in 0.18.4. Administrators should confirm that their deployments are running a patched version.

Risk and Exploitability

The CVSS score is 6.5 and the EPSS indicates a very low exploitation probability (<1%), and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated session to Beszel, after which the attacker can issue arbitrary Docker Engine commands through the agent. While the current threat of exploitation is low, the impact on confidentiality is substantial, warranting prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Beszel to version 0.18.4 or later, which sanitizes the container identifier
  • Restrict authenticated API access to users who absolutely require it and enforce least privilege for services interacting with Beszel
  • Implement input validation or use URL encoding such as url.PathEscape() on any container identifiers before constructing Docker Engine API URLs

Generated by OpenCVE AI on April 16, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-phwh-4f42-gwf3 Beszel: Docker API has a Path Traversal Vulnerability via Unsanitized Container ID
History

Wed, 04 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Beszel
Beszel beszel
CPEs cpe:2.3:a:beszel:beszel:*:*:*:*:*:*:*:*
Vendors & Products Beszel
Beszel beszel

Mon, 02 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Henrygd
Henrygd beszel
Vendors & Products Henrygd
Henrygd beszel

Fri, 27 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize `../` sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details. Version 0.18.4 fixes the issue.
Title Beszel Vulnerable to Docker API Path Traversal via Unsanitized Container ID
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Beszel Beszel
Henrygd Beszel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T12:52:19.071Z

Reserved: 2026-02-23T18:37:14.790Z

Link: CVE-2026-27734

cve-icon Vulnrichment

Updated: 2026-03-02T12:52:13.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T20:21:38.950

Modified: 2026-03-04T16:50:52.993

Link: CVE-2026-27734

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:30:06Z

Weaknesses