CVE-2026-40077
Insecure Direct Object Reference in Beszel Hub API Allows Unauthorized Access
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beszel | beszel | to 0.18.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40077 is an Insecure Direct Object Reference (IDOR) vulnerability in the Beszel hub API endpoints affecting versions prior to 0.18.7. The issue occurs because some API endpoints accept a user-supplied system ID but do not verify whether the authenticated user has permission to access that system. System IDs are random 15-character alphanumeric strings that are not publicly exposed but can potentially be enumerated by authenticated users through the web API.
Because of missing authorization checks, any authenticated user can access or manipulate data and actions on systems they do not own if they know or can guess the system ID. This includes accessing Docker container logs and info, systemd service information, and triggering SMART data refreshes on other users' systems.
The vulnerability is due to incomplete input validation and missing authorization checks on user-supplied system IDs in custom Beszel hub API routes, unlike the standard PocketBase API which enforces membership rules.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user to access or manipulate data on systems they do not own or have permission to access. Specifically, an attacker can:
- Access recent application logs and Docker container metadata (excluding environment variables) of other users' systems.
- Retrieve systemd unit properties and status information from other users' systems.
- Trigger SMART data refreshes on any system, potentially causing unintended system operations.
While the CVSS base score is low (3.5), the vulnerability changes the security scope by exposing confidential information to unauthorized users, which could lead to information disclosure and unauthorized system interactions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the Beszel hub API endpoints with different system IDs and container IDs to check if unauthorized access is possible. Since the vulnerability involves missing authorization checks on user-supplied system IDs, an authenticated user can enumerate system IDs and container IDs via the web API and try to access data or trigger actions on systems they do not own.
Specifically, you can test the following API endpoints with various system and container IDs to see if access is granted without proper authorization:
- GET /api/beszel/containers/logs?system=SYSTEM_ID&container=CONTAINER_ID
- GET /api/beszel/containers/info?system=SYSTEM_ID&container=CONTAINER_ID
- GET /api/beszel/systemd/info?system=SYSTEM_ID&service=SERVICE_NAME
- POST /api/beszel/smart/refresh?system=SYSTEM_ID
Commands to detect the vulnerability would involve authenticated HTTP requests to these endpoints with guessed or enumerated system and container IDs. For example, using curl:
- curl -i -H "Authorization: Bearer <token>" "https://<beszel-server>/api/beszel/containers/logs?system=<system_id>&container=<container_id>"
- curl -i -H "Authorization: Bearer <token>" "https://<beszel-server>/api/beszel/systemd/info?system=<system_id>&service=<service_name>"
If these requests return data for systems the authenticated user should not have access to, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Beszel server to version 0.18.7 or later, where this vulnerability has been fixed by adding proper authorization checks on the user-supplied system IDs in the affected API endpoints.
Until the upgrade can be performed, restrict access to the Beszel hub API endpoints to trusted users only and monitor API usage for suspicious activity involving enumeration of system or container IDs.
Additionally, review and tighten access controls and authentication mechanisms to reduce the risk of unauthorized users exploiting this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40077 is an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users to access or manipulate data on systems they do not own due to missing authorization checks in Beszel hub API endpoints.
This unauthorized access to potentially sensitive data, such as application logs, Docker container metadata, and systemd unit properties, could lead to violations of data protection principles required by standards like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.
Although the CVSS score is low (3.5), the vulnerability's ability to expose or allow manipulation of data without proper authorization may impact compliance by failing to ensure confidentiality and proper user access restrictions.