Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable WebSocket handler with no privilege requirement; low uniform impact reflects limited per-request Docker agent access without full system compromise.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance.
AnalysisAI
Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond network reachability of the Isaiah instance - the CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms unauthenticated, zero-interaction exploitation with low complexity against any version up to 1.36.9. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms straightforward network exploitation requiring no privileges, no user interaction, and no special attack conditions, producing a base score of 6.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker connects to the Isaiah WebSocket endpoint and sends a crafted message with a manipulated Agent argument targeting a specific Docker agent. Because Server.Handle performs no authorization check on this argument, the server processes the request and executes Docker agent operations on the attacker's behalf. … |
| Remediation | No officially released patched version has been confirmed - the fix exists only as GitHub pull request #35 (https://github.com/will-moss/isaiah/pull/35), which awaits upstream acceptance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43298
GHSA-ch9v-gm7f-9q33