EUVD-2026-21047
GHSA-5f5r-95pg-xrpm
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
4Description
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
Analysis
Beszel prior to 0.18.7 allows authenticated users to access monitoring data for any system without authorization checks, enabling information disclosure of system details and container metadata through ID enumeration. An authenticated attacker can bypass access controls on API endpoints by supplying a valid system ID (15 character alphanumeric) and optionally a container ID (12 digit hexadecimal), potentially discovering sensitive monitoring information across all systems in the platform despite not having legitimate access.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today