Description

Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize `../` sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details. Version 0.18.4 fixes the issue.

INFO

Published Date :

2026-02-27T19:41:30.418Z

Last Modified :

2026-03-02T12:52:19.071Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27734 vulnerability.

Vendors Products
Beszel
  • Beszel
Henrygd
  • Beszel
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27734.

URL Resource
https://github.com/henrygd/beszel/releases/tag/v0.18.4 cve-icon cve-icon
https://github.com/henrygd/beszel/security/advisories/GHSA-phwh-4f42-gwf3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact