Description
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
Published: 2026-04-09
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to system data
Action: Immediate patch
AI Analysis

Impact

Beszel, a server monitoring platform, contains an IDOR flaw in its hub API endpoints. The flaw allows any authenticated user to submit a system ID in the URL and the API returns information for that system without verifying the user’s privileges. Because system IDs are random 15‑character alphanumeric strings, a user who knows or can enumerate a valid ID can read data from any system, potentially leaking sensitive configuration or monitoring information.

Affected Systems

Vendors: henrygd:beszel. Affected versions are all releases prior to 0.18.7; version 0.18.7 and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity, yet the flaw provides unauthorized read access across the entire system inventory for any authenticated user. Exploitation requires only the ability to guess or enumerate system IDs and, for certain container endpoints, container IDs. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, implying limited public awareness or active exploitation. However, the relatively simple attack path and the fact that users can intentionally enumerate IDs and containers suggest the risk is non-trivial in environments where many systems are monitored.

Generated by OpenCVE AI on April 9, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 0.18.7 or newer, which contains the fix for the IDOR
  • If an upgrade is not immediately possible, limit user permissions so the hub API endpoints are only accessible to users who must have access to the respective systems
  • Monitor API usage for abnormal access patterns that might indicate enumeration or exploitation attempts

Generated by OpenCVE AI on April 9, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5f5r-95pg-xrpm Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
History

Fri, 17 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Beszel
Beszel beszel
CPEs cpe:2.3:a:beszel:beszel:*:*:*:*:*:*:*:*
Vendors & Products Beszel
Beszel beszel

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Henrygd
Henrygd beszel
Vendors & Products Henrygd
Henrygd beszel

Thu, 09 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
Title Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Weaknesses CWE-184
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Beszel Beszel
Henrygd Beszel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:19:45.967Z

Reserved: 2026-04-09T00:39:12.205Z

Link: CVE-2026-40077

cve-icon Vulnrichment

Updated: 2026-04-13T20:19:41.922Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T20:16:27.230

Modified: 2026-04-17T17:37:33.750

Link: CVE-2026-40077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:37Z

Weaknesses