Nixpkgs security tracker

Untriaged

Permalink CVE-2026-40077

3.5 LOW

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): NONE
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): NONE
Availability impact (A): NONE

created 1 week, 2 days ago

Beszel has an IDOR in hub API endpoints that read system ID from URL parameter

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.

References

https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm x_refsource_CONFIRM
https://github.com/henrygd/beszel/releases/tag/v0.18.7 x_refsource_MISC

Affected products

beszel

==< 0.18.7

Matching in nixpkgs

pkgs.beszel

Lightweight server monitoring hub with historical data, docker stats, and alerts

nixos-unstable 0.18.6
- nixpkgs-unstable 0.18.6
- nixos-unstable-small 0.18.6
nixos-25.11 0.18.4
- nixos-25.11-small 0.18.6
- nixpkgs-25.11-darwin 0.18.6

Package maintainers

@Bot-wxt1221 Bot-wxt1221 <3264117476@qq.com>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.beszel

Package maintainers