Beszel is a server monitoring platform that prior to version 0.18.4 contained a path traversal vulnerability (CVE-2026-27734) in its authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info. These endpoints accept a 'container' query parameter which is passed directly to the agent without proper validation or sanitization. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw 'container' value instead of safely escaping it with url.PathEscape(). Because Go's http.Client does not sanitize '../' sequences in URL paths sent over unix sockets, an authenticated user can craft a 'container' parameter containing path traversal sequences to access arbitrary Docker API endpoints on the agent host. This can expose sensitive infrastructure details such as container logs, configuration, or other metadata that should be restricted. The vulnerability affects beszel versions prior to 0.18.4 and requires at least authenticated access (readonly role suffices). There is no known exploitation in the wild yet. The issue was addressed by properly escaping the 'container' parameter to prevent path traversal. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, high confidentiality impact, and no integrity or availability impact.

The primary impact of this vulnerability is unauthorized disclosure of sensitive infrastructure information. Attackers with authenticated access, even with readonly privileges, can leverage the path traversal to query arbitrary Docker Engine API endpoints on the agent host. This could reveal container logs, configurations, environment variables, or other metadata that may contain secrets or operational details. Such information disclosure can facilitate further attacks, reconnaissance, or lateral movement within an organization's infrastructure. Although the vulnerability does not allow code execution or denial of service, the exposure of sensitive data can significantly increase risk. Organizations relying on beszel for monitoring containerized environments are at risk of leaking critical operational data if running vulnerable versions. The requirement for authentication limits exposure to insiders or compromised accounts, but readonly roles are often widely granted, increasing the attack surface. Since the vulnerability affects the Docker API over unix sockets, it specifically impacts environments using Docker containers monitored by beszel agents.

Organizations should immediately upgrade beszel to version 0.18.4 or later, where the vulnerability is fixed by proper escaping of the 'container' parameter. Until upgrade is possible, restrict access to beszel's authenticated API endpoints to trusted users only, minimizing readonly role assignments. Implement network segmentation and host-level access controls to limit who can reach the beszel agent hosts and Docker API sockets. Monitor API usage logs for suspicious or anomalous requests containing path traversal sequences such as '../'. Employ runtime security tools to detect unusual Docker API calls. Review and tighten container monitoring roles and permissions to enforce least privilege. Additionally, consider deploying web application firewalls or API gateways that can detect and block path traversal attempts in query parameters. Regularly audit and rotate secrets and credentials that may be exposed through container metadata to reduce risk from potential leaks.