CVE-2026-27734 Overview
CVE-2026-27734 is a path traversal vulnerability affecting Beszel, a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize ../ sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details.
Critical Impact
Authenticated users with any role, including readonly, can exploit path traversal sequences to access arbitrary Docker API endpoints on agent hosts, potentially exposing sensitive infrastructure information and container configurations.
Affected Products
- Beszel server monitoring platform versions prior to 0.18.2
- Beszel hub API endpoints /api/beszel/containers/logs and /api/beszel/containers/info
- All agent hosts connected to vulnerable Beszel hub instances
Discovery Timeline
- 2026-02-27 - CVE-2026-27734 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-27734
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The core issue lies in the hub's API implementation which accepts a user-supplied "container" query parameter and forwards it to the agent without proper input sanitization or validation.
The agent component then constructs Docker Engine API URLs by directly interpolating this untrusted input using Go's fmt.Sprintf function. The critical security flaw is the absence of url.PathEscape() encoding on this user-controlled value. This oversight allows attackers to inject path traversal sequences such as ../ into the URL path.
Go's standard http.Client library exhibits behavior that exacerbates this vulnerability: it does not automatically sanitize path traversal sequences (../) from URL paths when communicating over unix sockets. This is particularly relevant since Docker Engine API communication typically occurs over the Docker unix socket (/var/run/docker.sock).
An attacker with any level of authentication, including the lowest-privilege readonly role, can craft malicious requests containing ../ sequences in the container parameter. This allows them to escape the intended API path and access arbitrary Docker Engine API endpoints, potentially exposing sensitive information about the container infrastructure, system configurations, and other containers running on the host.
Root Cause
The root cause is insufficient input validation in the Beszel hub's container-related API endpoints. The "container" query parameter is passed directly to agent hosts without sanitization. The agent fails to use proper URL encoding functions like url.PathEscape() when constructing Docker Engine API URLs, allowing path traversal sequences to be interpreted literally. This combination of missing input validation at the hub level and improper URL construction at the agent level creates an exploitable path traversal condition.
Attack Vector
The attack is network-based and requires low-privilege authentication. An attacker with valid credentials (even readonly access) can send HTTP GET requests to the vulnerable endpoints (/api/beszel/containers/logs or /api/beszel/containers/info) with a maliciously crafted "container" parameter containing ../ path traversal sequences. These sequences allow the attacker to navigate out of the intended Docker API path and access arbitrary endpoints on the Docker Engine API, potentially retrieving sensitive infrastructure information, container configurations, secrets, or other data accessible through the Docker API.
The vulnerability mechanism can be described as follows: when a legitimate request targets a specific container, the agent constructs a URL path. However, by injecting traversal sequences into the container parameter, an attacker can manipulate the constructed path to reach unintended Docker API endpoints. The agent's use of fmt.Sprintf without proper escaping, combined with Go's http.Client behavior over unix sockets, allows these sequences to remain intact and be processed by the Docker daemon. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-27734
Indicators of Compromise
- HTTP requests to /api/beszel/containers/logs or /api/beszel/containers/info endpoints containing ../ sequences in the "container" query parameter
- Unusual Docker API access patterns originating from Beszel agent processes
- Access logs showing attempts to reach Docker API endpoints outside of normal container monitoring operations
- Authenticated users accessing container information for resources they should not have visibility into
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block path traversal sequences (../, ..%2F, ..%5C) in query parameters
- Monitor Beszel hub access logs for requests containing encoded or raw path traversal patterns in the container parameter
- Enable Docker daemon audit logging to detect unusual API access patterns from the Beszel agent
- Deploy runtime application self-protection (RASP) solutions capable of detecting path traversal attempts
Monitoring Recommendations
- Configure alerting for any requests to Beszel container endpoints containing path manipulation characters
- Monitor Docker socket access for requests originating from Beszel agent processes that target unexpected API endpoints
- Review authentication logs for accounts accessing container information outside their normal operational scope
- Establish baseline behavior for Docker API access patterns and alert on deviations
How to Mitigate CVE-2026-27734
Immediate Actions Required
- Upgrade Beszel to version 0.18.4 or later immediately, as this version contains the security fix
- Audit access logs for any signs of exploitation attempts against the vulnerable endpoints
- Review user accounts with access to the Beszel platform and remove unnecessary readonly or higher-privilege accounts
- Consider implementing network segmentation to limit access to Beszel hub and agent communication channels
Patch Information
The vulnerability has been addressed in Beszel version 0.18.4. The fix implements proper input validation and URL encoding using url.PathEscape() to prevent path traversal sequences from being processed. Organizations should update to this version or later as soon as possible. The patched release is available at the GitHub Release v0.18.4. Additional details about the vulnerability and fix are documented in the GitHub Security Advisory GHSA-phwh-4f42-gwf3.
Workarounds
- If immediate patching is not possible, implement a reverse proxy or WAF in front of the Beszel hub to filter requests containing path traversal sequences
- Restrict network access to Beszel hub API endpoints to only trusted IP ranges or systems
- Temporarily disable or restrict access to the vulnerable container logs and info endpoints if the functionality is not critical
- Monitor and audit all access to the affected endpoints while awaiting patching
# Example: Verify Beszel version after upgrade
beszel version
# Expected output should show v0.18.4 or later
# Example: WAF rule concept for blocking path traversal in container parameter
# Block requests where 'container' parameter contains path traversal sequences
# SecRule ARGS:container "@contains ../" "id:100001,phase:1,deny,status:403,msg:'Path traversal attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
