CVE-2026-27734

Name of the Vulnerable Software and Affected Versions Beszel versions prior to 0.18.2 Beszel versions 0.18.2 through 0.18.3

Description Beszel is a server monitoring platform. The platform’s authenticated API endpoints, specifically ''/api/beszel/containers/logs'' and ''/api/beszel/containers/info'', pass the container query parameter to the agent without proper validation. The agent then uses this parameter to construct Docker Engine API URLs using fmt.Sprintf instead of url.PathEscape. Because Go’s http.Client does not sanitize ../ sequences in URL paths sent over unix sockets, an authenticated user, even with a readonly role, can potentially traverse to arbitrary Docker API endpoints on the agent hosts. This could expose sensitive infrastructure details.

Recommendations Update Beszel to version 0.18.4 or later. Update Beszel to version 0.18.4 or later.