Unauthenticated OS Command Injection Vulnerability in Dockwatch by Notifiarr
CVE-2026-58455

9.2CRITICAL

Key Information:

Vendor

Notifiarr

Status
Vendor
CVE Published:
2 July 2026

What is CVE-2026-58455?

Dockwatch version 0.6.567 is vulnerable to an OS command injection due to inadequate input sanitization in its AJAX functionality. The vulnerability allows remote attackers to exploit a missing exit call in the authentication process, which can lead to arbitrary shell commands being executed via the composePath parameter in ajax/compose.php. By seeding a session flag through the incomplete authentication check, attackers can gain full access and potentially compromise the entire host system, especially in environments with standard Docker socket deployments.

Affected Version(s)

dockwatch 0 <= 0.6.567

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rayyb0t (https://github.com/rayyb0t)
.