Vulnerability Description
Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize `../` sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details. Version 0.18.4 fixes the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Beszel | Beszel | < 0.18.2 |
Related Weaknesses (CWE)
References
- https://github.com/henrygd/beszel/releases/tag/v0.18.4ProductRelease Notes
- https://github.com/henrygd/beszel/security/advisories/GHSA-phwh-4f42-gwf3ExploitVendor Advisory
FAQ
What is CVE-2026-27734?
CVE-2026-27734 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "conta...
How severe is CVE-2026-27734?
CVE-2026-27734 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27734?
Check the references section above for vendor advisories and patch information. Affected products include: Beszel Beszel.