CVE-2026-58455
Notifiarr · dockwatch
Dockwatch is vulnerable to unauthenticated OS command injection via improper session handling and unsanitized input in the composePath parameter.
Executive summary
Dockwatch is vulnerable to unauthenticated remote OS command injection, allowing attackers to gain full host control due to insecure Docker socket mounting.
Vulnerability
The vulnerability exists due to a missing exit condition after an authentication redirect, combined with unsanitized input passed to shell_exec() in ajax/compose.php. An attacker can manipulate session flags to bypass authentication and inject arbitrary shell commands.
Business impact
With a CVSS score of 9.8, this flaw allows an attacker to achieve full host system compromise. Because Dockwatch is typically deployed with the Docker socket mounted, a successful command injection allows the attacker to escape the container, modify host-level files, and gain complete control over the underlying infrastructure.
Remediation
Immediate Action: Update to the latest version of dockwatch to ensure proper authentication enforcement and input sanitization.
Proactive Monitoring: Monitor system process logs for unexpected shell execution originating from the web server process and audit Docker container configurations for security risks.
Compensating Controls: If immediate patching is not possible, remove the Docker socket mount from the container or restrict network access to the dockwatch interface using firewall rules.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This is a critical vulnerability that effectively grants host-level access to any unauthenticated attacker. Remediation must be performed immediately, and environments should be audited for signs of prior unauthorized access. Given the risk of container breakout, users should prioritize the principle of least privilege regarding Docker socket access in all deployments.