CVE-2026-40077
Received Received - Intake
Insecure Direct Object Reference in Beszel Hub API Allows Unauthorized Access

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40077
EUVD
EUVD-2026-21047
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
beszel beszel to 0.18.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-40077 is an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users to access or manipulate data on systems they do not own due to missing authorization checks in Beszel hub API endpoints.

This unauthorized access to potentially sensitive data, such as application logs, Docker container metadata, and systemd unit properties, could lead to violations of data protection principles required by standards like GDPR and HIPAA, which mandate strict access controls and protection of personal and sensitive information.

Although the CVSS score is low (3.5), the vulnerability's ability to expose or allow manipulation of data without proper authorization may impact compliance by failing to ensure confidentiality and proper user access restrictions.

Executive Summary

CVE-2026-40077 is an Insecure Direct Object Reference (IDOR) vulnerability in the Beszel hub API endpoints affecting versions prior to 0.18.7. The issue occurs because some API endpoints accept a user-supplied system ID but do not verify whether the authenticated user has permission to access that system. System IDs are random 15-character alphanumeric strings that are not publicly exposed but can potentially be enumerated by authenticated users through the web API.

Because of missing authorization checks, any authenticated user can access or manipulate data and actions on systems they do not own if they know or can guess the system ID. This includes accessing Docker container logs and info, systemd service information, and triggering SMART data refreshes on other users' systems.

The vulnerability is due to incomplete input validation and missing authorization checks on user-supplied system IDs in custom Beszel hub API routes, unlike the standard PocketBase API which enforces membership rules.

Impact Analysis

This vulnerability allows any authenticated user to access or manipulate data on systems they do not own or have permission to access. Specifically, an attacker can:

  • Access recent application logs and Docker container metadata (excluding environment variables) of other users' systems.
  • Retrieve systemd unit properties and status information from other users' systems.
  • Trigger SMART data refreshes on any system, potentially causing unintended system operations.

While the CVSS base score is low (3.5), the vulnerability changes the security scope by exposing confidential information to unauthorized users, which could lead to information disclosure and unauthorized system interactions.

Detection Guidance

This vulnerability can be detected by attempting to access the Beszel hub API endpoints with different system IDs and container IDs to check if unauthorized access is possible. Since the vulnerability involves missing authorization checks on user-supplied system IDs, an authenticated user can enumerate system IDs and container IDs via the web API and try to access data or trigger actions on systems they do not own.

Specifically, you can test the following API endpoints with various system and container IDs to see if access is granted without proper authorization:

  • GET /api/beszel/containers/logs?system=SYSTEM_ID&container=CONTAINER_ID
  • GET /api/beszel/containers/info?system=SYSTEM_ID&container=CONTAINER_ID
  • GET /api/beszel/systemd/info?system=SYSTEM_ID&service=SERVICE_NAME
  • POST /api/beszel/smart/refresh?system=SYSTEM_ID

Commands to detect the vulnerability would involve authenticated HTTP requests to these endpoints with guessed or enumerated system and container IDs. For example, using curl:

  • curl -i -H "Authorization: Bearer <token>" "https://<beszel-server>/api/beszel/containers/logs?system=<system_id>&container=<container_id>"
  • curl -i -H "Authorization: Bearer <token>" "https://<beszel-server>/api/beszel/systemd/info?system=<system_id>&service=<service_name>"

If these requests return data for systems the authenticated user should not have access to, it indicates the presence of the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade the Beszel server to version 0.18.7 or later, where this vulnerability has been fixed by adding proper authorization checks on the user-supplied system IDs in the affected API endpoints.

Until the upgrade can be performed, restrict access to the Beszel hub API endpoints to trusted users only and monitor API usage for suspicious activity involving enumeration of system or container IDs.

Additionally, review and tighten access controls and authentication mechanisms to reduce the risk of unauthorized users exploiting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart