CVE-2026-58455

Notifiarr · dockwatch

Dockwatch is vulnerable to unauthenticated OS command injection via improper session handling and unsanitized input in the composePath parameter.

Executive summary

Dockwatch is vulnerable to unauthenticated remote OS command injection, allowing attackers to gain full host control due to insecure Docker socket mounting.

Vulnerability

The vulnerability exists due to a missing exit condition after an authentication redirect, combined with unsanitized input passed to shell_exec() in ajax/compose.php. An attacker can manipulate session flags to bypass authentication and inject arbitrary shell commands.

Business impact

With a CVSS score of 9.8, this flaw allows an attacker to achieve full host system compromise. Because Dockwatch is typically deployed with the Docker socket mounted, a successful command injection allows the attacker to escape the container, modify host-level files, and gain complete control over the underlying infrastructure.

Remediation

Immediate Action: Update to the latest version of dockwatch to ensure proper authentication enforcement and input sanitization.

Proactive Monitoring: Monitor system process logs for unexpected shell execution originating from the web server process and audit Docker container configurations for security risks.

Compensating Controls: If immediate patching is not possible, remove the Docker socket mount from the container or restrict network access to the dockwatch interface using firewall rules.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This is a critical vulnerability that effectively grants host-level access to any unauthenticated attacker. Remediation must be performed immediately, and environments should be audited for signs of prior unauthorized access. Given the risk of container breakout, users should prioritize the principle of least privilege regarding Docker socket access in all deployments.