CVE-2026-40077: CWE-184: Incomplete List of Disallowed Inputs in henrygd beszel
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
AI Analysis
Technical Summary
The Beszel server monitoring platform before version 0.18.7 contains an incomplete access control vulnerability (CWE-184) in some API endpoints. These endpoints accept a user-supplied system ID and do not verify if the user is authorized to access that system. System IDs are 15-character alphanumeric strings that are not generally exposed, but can theoretically be enumerated by authenticated users. Accessing container endpoints also requires enumerating a 12-digit hexadecimal container ID. This vulnerability allows any authenticated user to access data for any system if they can guess or enumerate the system and container IDs. The vulnerability is resolved in Beszel version 0.18.7.
Potential Impact
The vulnerability allows unauthorized read access to system data via the API for authenticated users who can enumerate valid system and container IDs. The impact is limited to confidentiality (partial data exposure) with no integrity or availability impact. The CVSS score of 3.5 reflects low severity due to the difficulty of exploitation (high attack complexity) and limited impact.
Mitigation Recommendations
Upgrade Beszel to version 0.18.7 or later, where this access control vulnerability is fixed. No other mitigation guidance is provided or necessary as the issue is resolved in the fixed version. Patch status is not explicitly stated but the description confirms the fix is in 0.18.7.
CVE-2026-40077: CWE-184: Incomplete List of Disallowed Inputs in henrygd beszel
Description
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Beszel server monitoring platform before version 0.18.7 contains an incomplete access control vulnerability (CWE-184) in some API endpoints. These endpoints accept a user-supplied system ID and do not verify if the user is authorized to access that system. System IDs are 15-character alphanumeric strings that are not generally exposed, but can theoretically be enumerated by authenticated users. Accessing container endpoints also requires enumerating a 12-digit hexadecimal container ID. This vulnerability allows any authenticated user to access data for any system if they can guess or enumerate the system and container IDs. The vulnerability is resolved in Beszel version 0.18.7.
Potential Impact
The vulnerability allows unauthorized read access to system data via the API for authenticated users who can enumerate valid system and container IDs. The impact is limited to confidentiality (partial data exposure) with no integrity or availability impact. The CVSS score of 3.5 reflects low severity due to the difficulty of exploitation (high attack complexity) and limited impact.
Mitigation Recommendations
Upgrade Beszel to version 0.18.7 or later, where this access control vulnerability is fixed. No other mitigation guidance is provided or necessary as the issue is resolved in the fixed version. Patch status is not explicitly stated but the description confirms the fix is in 0.18.7.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T00:39:12.205Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d7ff941cc7ad14da10e9de
Added to database: 4/9/2026, 7:35:48 PM
Last enriched: 4/9/2026, 7:51:20 PM
Last updated: 4/10/2026, 8:15:16 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.