The beszel platform, a server monitoring tool, contains a path traversal vulnerability identified as CVE-2026-27734 affecting versions before 0.18.4. The vulnerability arises in the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info, which accept a user-supplied 'container' query parameter. This parameter is passed directly to the agent without proper validation or sanitization. The agent uses Go's fmt.Sprintf to construct Docker Engine API URLs with the raw 'container' value instead of applying url.PathEscape(), allowing malicious input containing '../' sequences to traverse directories. Since Go's http.Client does not sanitize such sequences when communicating over Unix sockets, an authenticated user can access arbitrary Docker API endpoints on the agent host. This can lead to exposure of sensitive infrastructure information such as container logs and metadata. The vulnerability requires authentication but does not require user interaction and does not allow integrity or availability compromise. The issue is resolved in beszel version 0.18.4 by properly escaping or validating the 'container' parameter before URL construction. No known exploits are reported in the wild as of publication.

This vulnerability can lead to unauthorized disclosure of sensitive infrastructure details by allowing authenticated users to access arbitrary Docker API endpoints on agent hosts. Organizations relying on beszel for monitoring containerized environments risk exposure of container logs and metadata, which may contain sensitive operational or security information. Although the vulnerability does not allow modification or disruption of services, the confidentiality breach can aid attackers in reconnaissance or lateral movement within the environment. The requirement for authentication limits exposure to insiders or compromised accounts, but readonly roles are also affected, increasing the attack surface. Enterprises with extensive container deployments and monitoring using beszel versions prior to 0.18.4 are at risk of information leakage that could facilitate further attacks or compliance violations.

Organizations should upgrade beszel to version 0.18.4 or later immediately to apply the official fix that properly sanitizes the 'container' query parameter. Until upgrading, restrict access to beszel's authenticated API endpoints to trusted users only and audit readonly accounts for potential misuse. Implement network segmentation and access controls to limit communication between beszel agents and Docker Engine APIs. Monitor API usage logs for unusual or unexpected requests containing directory traversal patterns such as '../'. Consider deploying Web Application Firewalls (WAFs) or API gateways that can detect and block path traversal attempts. Additionally, conduct regular security reviews of custom monitoring tools to ensure proper input validation and sanitization practices are followed.