CVE-2026-58455: Dockwatch 0.6.567 Unauthenticated OS Command Injection via ajax/compose.php
Dockwatch through 0.6.567 contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary shell commands by exploiting a missing exit() after an authentication redirect in loader.php combined with unsanitized input passed to shell_exec() in ajax/compose.php. Attackers can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action to achieve full host compromise, facilitated by the standard deployment mounting of the Docker socket.
Metrics
- CVSS v4.0
- 9.2
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Unauthenticated OS command injection in Dockwatch (versions through 0.6.567) allows a remote attacker with no credentials to execute arbitrary shell commands on the host. The flaw combines a missing exit() after an authentication redirect in loader.php with unsanitized input passed to shell_exec() in ajax/compose.php, reachable over the network without any login. Successful exploitation gives the attacker full control of the host, amplified by Dockwatch's standard deployment pattern of mounting the Docker socket. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-58455 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Dockwatch at the affected version. Any image in a connected registry or CI/CD pipeline that includes a vulnerable Dockwatch build is flagged automatically.
AvailableHarborGuard scores this CVE at CVSS v4.0 9.2 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Teams with policy rules tied to unauthenticated remote-code-execution findings receive immediate inbox routing, ensuring the alert reaches the right responder without manual filtering.
AvailableBecause no upstream fix has been published for CVE-2026-58455, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Notifiarr ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without any manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable endpoint in ajax/compose.php is exposed over the network, meaning an attacker must be able to reach the Dockwatch HTTP service from a remote host.
- AuthenticationNot required
No credentials are needed; the flaw stems from a missing exit() after the auth redirect, allowing the attacker to bypass authentication entirely and seed the required session flag without logging in.
- Victim interactionNot required
Exploitation is fully server-side via a crafted POST request; no user action or social-engineering step is required.
- Attack complexityDetail
The CVSS v4.0 vector specifies AC:L (low complexity) with AT:P (attack requirements present), meaning the exploit itself is straightforward and reliable but depends on the attacker reaching the service and meeting the session-seeding precondition described in the vulnerability.
Blast Radius
- Attacker executes arbitrary shell commands as the Dockwatch process user, gaining full filesystem read and write access on the host.
- Via the Docker socket mounted into the container by default, the attacker can create, modify, or destroy any container on the host and pivot to other running workloads.
- Confidential data stored or accessible on the host, including environment variables, secrets files, and mounted volumes, is readable and exfiltrable.
- The attacker can install persistent processes or backdoors, effectively achieving a full host compromise that survives container restarts.
How HarborGuard Handles This
Available on HarborGuard: because no patched version of Dockwatch exists at this time, HarborGuard continuously monitors the Notifiarr advisory and will surface a patched-image rebuild the moment an upstream fix is released. For environments with auto-remediation enabled, the rebuild, regression run, and PR flow will trigger automatically without manual steps. In the meantime, customers should consider the following compensating controls: restrict network access to the Dockwatch HTTP port using Kubernetes NetworkPolicy or host-level firewall rules so only trusted sources can reach ajax/compose.php; evaluate whether the Docker socket mount is strictly necessary and apply the principle of least privilege to the container's host access; and flag any image containing Dockwatch 0.6.567 or earlier as a policy violation in HarborGuard's compliance rules to block promotion to production until a fix is available. HarborGuard will re-check the advisory on every ingest cycle and send an updated finding the moment fix version data is published.
- Notifiarr / dockwatch≤ 0.6.567
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N