CVE-2026-40077

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/henrygd/beszel/releases/tag/v0.18.7	Product Release Notes
https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:beszel:beszel:*:*:*:*:*:*:*:*

History

17 Apr 2026, 17:37

Type	Values Removed	Values Added
CPE		cpe:2.3:a:beszel:beszel::::::::
First Time		Beszel beszel Beszel
References	~~() https://github.com/henrygd/beszel/releases/tag/v0.18.7 -~~	() https://github.com/henrygd/beszel/releases/tag/v0.18.7 - Product, Release Notes
References	~~() https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm -~~	() https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm - Exploit, Vendor Advisory

09 Apr 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 20:16

Updated : 2026-04-17 17:37

NVD link : CVE-2026-40077

Mitre link : CVE-2026-40077

CVE.ORG link : CVE-2026-40077

JSON object : View

Products Affected

beszel

beszel

CWE

CWE-184

Incomplete List of Disallowed Inputs

{"id": "CVE-2026-40077", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2026-04-09T20:16:27.230", "references": [{"url": "https://github.com/henrygd/beszel/releases/tag/v0.18.7", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-184"}]}], "descriptions": [{"lang": "en", "value": "Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7."}], "lastModified": "2026-04-17T17:37:33.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:beszel:beszel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEE9E0EA-91E0-4B0C-83AC-4FAF20D19328", "versionEndExcluding": "0.18.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}