Unauthenticated OS Command Injection Vulnerability in Dockwatch by Notifiarr
CVE-2026-58455
9.2CRITICAL
What is CVE-2026-58455?
Dockwatch version 0.6.567 is vulnerable to an OS command injection due to inadequate input sanitization in its AJAX functionality. The vulnerability allows remote attackers to exploit a missing exit call in the authentication process, which can lead to arbitrary shell commands being executed via the composePath parameter in ajax/compose.php. By seeding a session flag through the incomplete authentication check, attackers can gain full access and potentially compromise the entire host system, especially in environments with standard Docker socket deployments.
Affected Version(s)
dockwatch 0 <= 0.6.567
References
CVSS V4
Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None
Timeline
Vulnerability published
Vulnerability Reserved
Credit
rayyb0t (https://github.com/rayyb0t)
