SYS::ONLINE
Wasteland.
Briefs1090
Issues17
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-58455 2026-07-02

CVE-2026-58455: Unauthenticated Command Injection in Notifiarr Dockwatch

"A critical unauthenticated OS command injection flaw in Notifiarr's Dockwatch lets remote attackers run arbitrary shell commands and fully compromise the host."

A critical unauthenticated OS command injection flaw in Notifiarr's Dockwatch lets remote attackers run arbitrary shell commands and fully compromise the host.

What Is It

CVE-2026-58455 is an unauthenticated OS command injection vulnerability (CWE-78, CWE-698) affecting Notifiarr Dockwatch through version 0.6.567. The root cause is a missing exit() after an authentication redirect in loader.php, combined with unsanitized input reaching shell_exec() in ajax/compose.php. An attacker can seed the required session flag through the incomplete auth check, then inject arbitrary commands via the composePath POST parameter in the composePull action. NVD assigns it a CVSS 3.1 base score of 9.8 (CRITICAL) with an attack vector of NETWORK, LOW attack complexity, and no privileges or user interaction required.

Why It Matters

Because the flaw requires no authentication and can be triggered remotely over the network, any exposed Dockwatch instance is at risk of full host compromise. The impact is amplified by Dockwatch's standard deployment, which mounts the Docker socket; giving an attacker who achieves code execution a direct path to control the underlying host and other containers. Confidentiality, integrity, and availability impacts are all rated HIGH.

What's Vulnerable

Patch Status

A fix is referenced via GitHub pull request #135 for the Dockwatch repository. Administrators running any version up to and including 0.6.567 should update to a patched release and, given the Docker socket exposure, restrict network access to Dockwatch instances. The NVD record lists no CISA KEV entry, so there is no confirmation of active exploitation in the supplied source material.

Sources