What is the CVSS score of CVE-2026-40077?

CVE-2026-40077 has a CVSS 3.1 base score of 3.5 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-40077?

Yes, a patch is available for CVE-2026-40077. Update the affected software to the latest version immediately.

Beszel CVE-2026-40077

EUVD-2026-21047 LOW

Incomplete List of Disallowed Inputs (CWE-184)

2026-04-09 GitHub_M

GHSA-5f5r-95pg-xrpm

Information Disclosure Beszel

3.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

3.5 LOW

AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 19:45 euvd

EUVD-2026-21047

Analysis Generated

Apr 09, 2026 - 19:45 vuln.today

CVE Published

Apr 09, 2026 - 19:27 nvd

LOW 3.5

DescriptionGitHub Advisory

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.

AnalysisAI

Beszel prior to 0.18.7 allows authenticated users to access monitoring data for any system without authorization checks, enabling information disclosure of system details and container metadata through ID enumeration. An authenticated attacker can bypass access controls on API endpoints by supplying a valid system ID (15 character alphanumeric) and optionally a container ID (12 digit hexadecimal), potentially discovering sensitive monitoring information across all systems in the platform despite not having legitimate access.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents low-to-moderate real-world risk despite the low CVSS score of 3.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated user with legitimate access to the Beszel hub gains knowledge that a specific system ID exists (through administrative disclosure or brute-force enumeration). The attacker uses Beszel API endpoints to request monitoring data for that system ID without being granted explicit access, successfully retrieving sensitive information such as CPU usage, memory consumption, and running container details that should have been restricted. …
Remediation	Vendor-released patch: Beszel 0.18.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40077 vulnerability details – vuln.today

Back

Beszel CVE-2026-40077

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code