CVE-2026-27734: Docker API Path Traversal in Beszel Agent via Unsanitized Input

# security# cve# cybersecurity
CVE-2026-27734: Docker API Path Traversal in Beszel Agent via Unsanitized InputCVE Reports

Docker API Path Traversal in Beszel Agent via Unsanitized Input Vulnerability ID:...

Docker API Path Traversal in Beszel Agent via Unsanitized Input

Vulnerability ID: CVE-2026-27734
CVSS Score: 6.5
Published: 2026-02-27

A path traversal vulnerability exists in the Beszel server monitoring agent, allowing authenticated users to access arbitrary Docker Engine API endpoints. The vulnerability arises from improper sanitization of the 'container' query parameter when constructing requests to the Docker Unix socket. By injecting directory traversal sequences, an attacker with minimum privileges (including Read-Only) can escape the intended container scope and query sensitive host-level information, such as the Docker version, system info, or details of other containers running on the host.

TL;DR

Beszel agents prior to v0.18.4 fail to sanitize container IDs before passing them to the Docker socket. Authenticated users can use '../' sequences to traverse the Docker API and access unauthorized system information.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-22
  • Attack Vector: Network
  • CVSS: 6.5 (Medium)
  • Impact: Information Disclosure
  • Protocol: HTTP over Unix Socket
  • Exploit Status: Proof of Concept Available

Affected Systems

  • Beszel Agent < 0.18.4
  • Beszel Hub < 0.18.4
  • Beszel: < 0.18.4 (Fixed in: 0.18.4)

Code Analysis

Commit: 311095c

fix: prevent path traversal in docker container api

@@ -10,6 +10,8 @@
    "net/http"
    "net/url"
+   "regexp"

    "github.com/henrygd/beszel/internal/agent"
 )

+var containerIDPattern = regexp.MustCompile(`^[a-fA-F0-9]{12,64}$`)
+
 func (h *Hub) ProxyDockerRequest(w http.ResponseWriter, r *http.Request) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Validation
  • URL Encoding
  • Principle of Least Privilege

Remediation Steps:

  1. Upgrade the Beszel Hub and all Agents to version 0.18.4 or later.
  2. Ensure that the Hub and Agents are restarted to apply the new binary.
  3. Review access logs for requests to /api/beszel/containers containing .. sequences to identify past exploitation attempts.

References

Read the full report for CVE-2026-27734 on our website for more details including interactive diagrams and full exploit analysis.