CVE-2026-40077

CVE-2026-40077 is a low-severity vulnerability in Beszel with a CVSS 3.x base score of 3.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-184.

Key facts

Description

Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.

Frequently asked questions

What is CVE-2026-40077?
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
How severe is CVE-2026-40077?
CVE-2026-40077 has a CVSS 3.x base score of 3.5, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
Is CVE-2026-40077 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2026-40077?
CVE-2026-40077 affects Beszel. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2026-40077?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-40077 have an EU (EUVD) identifier?
Yes. CVE-2026-40077 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-21047.
When was CVE-2026-40077 published?
CVE-2026-40077 was published on 2026-04-09 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Beszel

All CVEs affecting Beszel →

Other CWE-184 vulnerabilities

Browse all CWE-184 vulnerabilities →