Skip to main content

Isaiah EUVDEUVD-2026-43298

| CVE-2026-15541 MEDIUM
Missing Authorization (CWE-862)
2026-07-13 VulDB GHSA-ch9v-gm7f-9q33
6.9
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-reachable WebSocket handler with no privilege requirement; low uniform impact reflects limited per-request Docker agent access without full system compromise.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 13, 2026 - 08:23 vuln.today

DescriptionCVE.org

A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance.

AnalysisAI

Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet-exposed Isaiah instance
Delivery
Establish unauthenticated WebSocket connection
Exploit
Craft message with manipulated Agent argument
Execution
Bypass authorization in Server.Handle
Impact
Execute unauthorized Docker agent operations

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond network reachability of the Isaiah instance - the CVSS 4.0 vector (PR:N/UI:N/AC:L/AT:N) confirms unauthenticated, zero-interaction exploitation with low complexity against any version up to 1.36.9. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms straightforward network exploitation requiring no privileges, no user interaction, and no special attack conditions, producing a base score of 6.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker connects to the Isaiah WebSocket endpoint and sends a crafted message with a manipulated Agent argument targeting a specific Docker agent. Because Server.Handle performs no authorization check on this argument, the server processes the request and executes Docker agent operations on the attacker's behalf. …
Remediation No officially released patched version has been confirmed - the fix exists only as GitHub pull request #35 (https://github.com/will-moss/isaiah/pull/35), which awaits upstream acceptance. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy