CVE-2026-40077
CVE-2026-40077 is a low-severity vulnerability in Beszel with a CVSS 3.x base score of 3.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-184.
Key facts
- Severity: Low (CVSS 3.x base score 3.5)
- EPSS exploit prediction: 0% (12th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-21047
- Weakness: CWE-184
- Affected product: Beszel
- Published:
- Last modified:
Description
Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
Frequently asked questions
- What is CVE-2026-40077?
- Beszel is a server monitoring platform. Prior to 0.18.7, some API endpoints in the Beszel hub accept a user-supplied system ID and proceed without further checks that the user should have access to that system. As a result, any authenticated user can access these routes for any system if they know the system's ID. System IDs are random 15 character alphanumeric strings, and are not exposed to all users. However, it is theoretically possible for an authenticated user to enumerate a valid system ID via web API. To use the containers endpoints, the user would also need to enumerate a container ID, which is 12 digit hexadecimal string. This vulnerability is fixed in 0.18.7.
- How severe is CVE-2026-40077?
- CVE-2026-40077 has a CVSS 3.x base score of 3.5, rated low severity. It is exploitable over network with high attack complexity, requires low privileges and no user interaction. Impact on confidentiality is low, integrity none, and availability none.
- Is CVE-2026-40077 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-40077?
- CVE-2026-40077 affects Beszel. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-40077?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-40077 have an EU (EUVD) identifier?
- Yes. CVE-2026-40077 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-21047.
- When was CVE-2026-40077 published?
- CVE-2026-40077 was published on 2026-04-09 and last updated on 2026-06-17.
References
- https://github.com/henrygd/beszel/releases/tag/v0.18.7
- https://github.com/henrygd/beszel/security/advisories/GHSA-5f5r-95pg-xrpm
Affected products (1)
- cpe:2.3:a:beszel:beszel:*:*:*:*:*:*:*:*
More vulnerabilities in Beszel
- CVE-2026-27734 — Medium (CVSS 6.5): Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET…
Other CWE-184 vulnerabilities
- CVE-2026-28363 — Critical (CVSS 9.9): In OpenClaw before 2026.2.23, tools.exec.safeBins validation for sort could be bypassed via GNU long-option…
- CVE-2026-56315 — Critical (CVSS 9.8): picklescan before 1.0.4 fails to block at least seven Python standard library modules (including uuid, _osx_support,…
- CVE-2026-53873 — Critical (CVSS 9.8): picklescan before 1.0.4 contains an incomplete blocklist for the profile module that fails to block the module-level…
- CVE-2025-71323 — Critical (CVSS 9.8): picklescan before 0.0.33 fails to block the ctypes module, allowing attackers to achieve remote code execution by…
- CVE-2025-71320 — Critical (CVSS 9.8): picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller…
- CVE-2026-41264 — Critical (CVSS 9.8): Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, the specific…