📄 Description (English)
Beszel is a server monitoring platform. Prior to version 0.18.2, the hub's authenticated API endpoints GET /api/beszel/containers/logs and GET /api/beszel/containers/info pass the user-supplied "container" query parameter to the agent without validation. The agent constructs Docker Engine API URLs using fmt.Sprintf with the raw value instead of url.PathEscape(). Since Go's http.Client does not sanitize `../` sequences from URL paths sent over unix sockets, an authenticated user (including readonly role) can traverse to arbitrary Docker API endpoints on agent hosts, exposing sensitive infrastructure details. Version 0.18.4 fixes the issue.
🤖 AI Executive Summary
Beszel server monitoring platform versions prior to 0.18.2 contain a path traversal vulnerability in authenticated API endpoints that allows users with read-only roles to access arbitrary Docker API endpoints on agent hosts. An attacker can exploit improper input validation on the 'container' query parameter to traverse directory structures and expose sensitive infrastructure details. This vulnerability affects organizations using Beszel for infrastructure monitoring across Saudi Arabia, particularly those managing containerized environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 12, 2026 17:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations in the technology, cloud infrastructure, and DevOps sectors that deploy Beszel for container and server monitoring. High-risk sectors include: (1) Banking and Financial Services — institutions using containerized infrastructure for payment systems and core banking platforms; (2) Government and Critical Infrastructure — NCA-regulated entities managing sensitive infrastructure monitoring; (3) Telecommunications — STC and other telecom operators using Beszel for network infrastructure monitoring; (4) Energy Sector — ARAMCO and related entities managing industrial control systems; (5) Healthcare — hospitals and health information systems using containerized deployments. The vulnerability allows authenticated users (including those with minimal read-only permissions) to bypass access controls and enumerate sensitive Docker configurations, potentially exposing database credentials, API keys, and infrastructure topology.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Critical Infrastructure
Telecommunications
Energy and Utilities
Healthcare
Technology and Cloud Services
Manufacturing and Industrial Control Systems
🎯 MITRE ATT&CK Techniques
T1083 — File and Directory Discovery (traversing Docker API endpoints to enumerate infrastructure)
T1526 — Cloud Service Discovery (accessing Docker API to discover container configurations)
T1087 — Account Discovery (enumerating Docker secrets and configurations)
T1580 — Cloud Infrastructure Discovery (exposing infrastructure topology through Docker API)
T1552 — Unsecured Credentials (potential exposure of API keys and credentials in Docker configs)
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Beszel deployments in your organization and document version numbers
2. Restrict network access to Beszel hub and agent endpoints to trusted networks only
3. Review access logs for suspicious container parameter queries containing '../' sequences
4. Audit user accounts with Beszel access, particularly read-only roles
PATCHING GUIDANCE:
1. Upgrade Beszel to version 0.18.4 or later immediately
2. If upgrade is not immediately possible, disable public access to /api/beszel/containers/logs and /api/beszel/containers/info endpoints
3. Implement network segmentation to isolate Beszel agents from untrusted networks
COMPENSATING CONTROLS (if patch unavailable):
1. Deploy WAF rules to block requests containing '../' in the 'container' query parameter
2. Implement strict input validation at the reverse proxy level
3. Monitor and alert on any container parameter values containing path traversal sequences
4. Restrict Beszel API access to specific IP ranges using firewall rules
5. Implement mutual TLS authentication between hub and agents
DETECTION RULES:
1. Monitor for HTTP requests to /api/beszel/containers/* endpoints with 'container' parameter containing '../'
2. Alert on Docker API calls from Beszel agents to unexpected endpoints
3. Track authentication logs for read-only user access to sensitive endpoints
4. Monitor for unusual Docker API endpoint access patterns (e.g., /v1.40/secrets, /v1.40/configs)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع نشرات Beszel في مؤسستك وقم بتوثيق أرقام الإصدارات
2. قيد الوصول إلى نقاط نهاية Beszel hub والوكيل إلى الشبكات الموثوقة فقط
3. راجع سجلات الوصول للاستعلامات المريبة لمعامل الحاوية التي تحتوي على تسلسلات '../'
4. قم بتدقيق حسابات المستخدمين الذين لديهم وصول Beszel، خاصة الأدوار المتعلقة بالقراءة فقط
إرشادات التصحيح:
1. قم بترقية Beszel إلى الإصدار 0.18.4 أو أحدث على الفور
2. إذا لم يكن الترقية ممكنة على الفور، قم بتعطيل الوصول العام إلى نقاط نهاية /api/beszel/containers/logs و /api/beszel/containers/info
3. تنفيذ تقسيم الشبكة لعزل وكلاء Beszel عن الشبكات غير الموثوقة
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
1. نشر قواعد WAF لحظر الطلبات التي تحتوي على '../' في معامل الاستعلام 'container'
2. تنفيذ التحقق الصارم من المدخلات على مستوى الوكيل العكسي
3. مراقبة والتنبيه على أي قيم معامل حاوية تحتوي على تسلسلات اجتياز المسار
4. تقييد وصول Beszel API إلى نطاقات IP محددة باستخدام قواعد جدار الحماية
5. تنفيذ مصادقة TLS المتبادلة بين hub والوكلاء
قواعد الكشف:
1. مراقبة طلبات HTTP إلى نقاط نهاية /api/beszel/containers/* مع معامل 'container' يحتوي على '../'
2. التنبيه على استدعاءات Docker API من وكلاء Beszel إلى نقاط نهاية غير متوقعة
3. تتبع سجلات المصادقة لوصول المستخدم بالقراءة فقط إلى نقاط النهاية الحساسة
4. مراقبة أنماط الوصول إلى نقاط نهاية Docker API غير العادية (مثل /v1.40/secrets و /v1.40/configs)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 — Access Control Policy (unauthorized access to infrastructure details)
ECC 2024 A.6.1.2 — User Access Management (read-only role bypass)
ECC 2024 A.8.2.1 — User Authentication (authentication bypass through parameter manipulation)
ECC 2024 A.12.4.1 — Event Logging (insufficient logging of API access attempts)
🔵 SAMA CSF
SAMA CSF ID.AM-2 — Asset Management (inventory of monitoring tools and their vulnerabilities)
SAMA CSF PR.AC-1 — Access Control (enforcement of least privilege principles)
SAMA CSF PR.AC-3 — Access Enforcement (proper validation of user inputs)
SAMA CSF DE.CM-1 — Detection and Analysis (monitoring of suspicious API access patterns)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 — Access Control (authentication and authorization mechanisms)
ISO 27001:2022 A.5.16 — Cryptography (secure communication between hub and agents)
ISO 27001:2022 A.5.18 — User Endpoint Devices (monitoring of container infrastructure)
ISO 27001:2022 A.8.22 — Information Security Incident Management (detection and response)
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 — Injection flaws (path traversal is a form of injection attack)
PCI DSS 7.1 — Least Privilege Access (read-only role should not access sensitive endpoints)
PCI DSS 10.2 — Logging and Monitoring (audit trails for API access)