CVE-2026-40077

Source
https://cve.org/CVERecord?id=CVE-2026-40077
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40077.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40077
Aliases
Published
2026-04-09T19:27:39.364Z
Modified
2026-07-08T08:13:12.092514714Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Beszel has an IDOR in hub API endpoints that read system ID from URL parameter
Details

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40077.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-184"
    ]
}
References

Affected packages

Git / github.com/henrygd/beszel

Affected ranges

Type
GIT
Repo
https://github.com/henrygd/beszel
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:beszel:beszel:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.18.7"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.1-alpha.0
v0.0.1-alpha.1
v0.0.1-alpha.2
v0.0.1-alpha.3
v0.0.1-alpha.4
v0.0.1-alpha.5
v0.0.1-alpha.6
v0.0.1-alpha.7
v0.0.1-alpha.8
v0.0.1-alpha.9
v0.1.0
v0.1.1
v0.1.2
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.11.1
v0.12.0
v0.12.0-beta1
v0.12.0-beta2
v0.12.1
v0.12.10
v0.12.11
v0.12.12
v0.12.2
v0.12.3
v0.12.4
v0.12.5
v0.12.6
v0.12.7
v0.12.8
v0.12.9
v0.13.0
v0.13.1
v0.13.2
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.15.4
v0.16.0
v0.16.1
v0.17.0
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.2.0
v0.3.0
v0.4.0
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8.0
v0.9.0
v0.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40077.json"