Back to Intelligence

CVE-2026-58455: Critical Dockwatch RCE via Unauthenticated Command Injection — Detection and Hardening

SA
Security Arsenal Team
July 3, 2026
7 min read

Introduction

A critical vulnerability designated CVE-2026-58455 (CVSS 9.8) has been disclosed in Dockwatch, a widely utilized component for monitoring and managing Docker containers. This flaw is particularly severe because it bypasses authentication entirely, allowing remote attackers to execute arbitrary operating system commands.

The danger is amplified by the standard deployment architecture of Dockwatch, which typically requires mounting the host's Docker socket (/var/run/docker.sock). Consequently, a successful exploit does not just compromise the containerized application; it provides attackers with a direct pathway to compromise the underlying host, facilitating container escape and lateral movement across the infrastructure. Defenders must treat this as a critical priority, as the barrier to entry is low (unauthenticated network access) and the potential impact is total system compromise.

Technical Analysis

Affected Products:

  • Vendor: Dockwatch
  • Affected Versions: Through 0.6.567

Vulnerability Details:

  • CVE ID: CVE-2026-58455
  • CVSS Score: 9.8 (CRITICAL)
  • Vector: NETWORK

The Vulnerability Mechanics: This vulnerability is a classic chain of logic flaws and input sanitization failures. The attack chain exploits two specific issues in the application code:

  1. Authentication Bypass (loader.php): The application fails to call exit() or die() immediately after an authentication redirect. In many PHP configurations, the script continues to execute subsequent lines of code even after the redirect header is sent. This allows an unauthenticated user to reach logic paths intended only for authenticated sessions, effectively "seeding" the required session flags.

  2. OS Command Injection (ajax/compose.php): The endpoint ajax/compose.php takes user input via the composePath POST parameter during a composePull action and passes it directly to the shell_exec() function without adequate sanitization or validation.

Attack Chain:

  1. The attacker sends a request to loader.php, triggering the authentication redirect. Because the script does not terminate, the attacker's session state is modified, bypassing the intended login gate.
  2. With the session flag set, the attacker issues a POST request to ajax/compose.php.
  3. They inject arbitrary shell commands into the composePath parameter.
  4. The server executes these commands via shell_exec() with the privileges of the web server/user.
  5. Because the container is usually run with the Docker socket mounted (e.g., -v /var/run/docker.sock:/var/run/docker.sock), the attacker can now communicate with the Docker daemon to spawn new containers, mount host file systems, and achieve full host compromise.

Exploitation Status: While specific in-the-wild exploitation campaigns have not been detailed in the NVD entry at this time, the simplicity of the exploit (unauthenticated, logical error combined with standard RCE) makes active scanning and exploitation imminent. The availability of the source code for affected versions allows for trivial PoC development.

Detection & Response

Sigma Rules

The following Sigma rules detect the specific web request patterns associated with the exploitation of this vulnerability, as well as the generic behavior of a web server spawning a shell, which is highly anomalous in this context.

YAML
---
title: Dockwatch composePull Command Injection Attempt
id: 9c2b3d4e-1f5a-4b8c-9e0d-1a2b3c4d5e6f
status: experimental
description: Detects potential exploitation of CVE-2026-58455 via POST requests to ajax/compose.php with composePull action.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-58455
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.web_shell
  - cve-2026-58455
logsource:
  category: web
  product: apache
  # Or nginx, iis, etc - adjust based on env
detection:
  selection:
    Method: POST
    cs-uri-query|contains: 'ajax/compose.php'
    cs-uri-query|contains: 'composePull'
    cs-uri-query|contains: 'composePath'
  condition: selection
falsepositives:
  - Legitimate administrative use of Dockwatch compose features
level: high
---
title: Web Server Spawning Shell Indicator
id: 8a1b2c3d-4e5f-6789-0a1b-2c3d4e5f6789
status: experimental
description: Detects suspicious process execution where a web server (PHP/Apache/Nginx) spawns a shell, indicative of RCE.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-58455
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.execution
  - attack.t1059.004
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|endswith:
      - '/apache2'
      - '/httpd'
      - '/nginx'
      - '/php-fpm'
      - '/php-cgi'
  selection_child:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/zsh'
      - '/dash'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative scripts executed via web interface (rare)
level: critical

KQL (Microsoft Sentinel / Defender)

This query hunts for the specific web access patterns in proxy or firewall logs, and correlates with process creation data if available via Linux agents.

KQL — Microsoft Sentinel / Defender
// Hunt for suspicious ajax/compose.php requests indicating CVE-2026-58455 exploitation
// Adjust table names based on your log source (CommonSecurityLog, Syslog, DeviceNetworkEvents)
let WebEvents = materialize (
    CommonSecurityLog
    | where RequestProtocol in ("HTTP", "HTTPS")
    | where RequestMethod =~ "POST"
    | where RequestURL has "ajax/compose.php"
    | where RequestURL has "composePull"
    | extend ExtraFields = parse_(AdditionalExtensions)
    | project TimeGenerated, SourceIP, DestinationIP, RequestURL, UserAgent
);
// Correlate with potential process execution on the Linux host (if CEF/OMS agent is installed)
let ProcessEvents = materialize (
    DeviceProcessEvents
    | where Timestamp > ago(1d)
    | where InitiatingProcessFileName in ("apache2", "httpd", "nginx", "php-fpm")
    | where FileName in ("sh", "bash", "dash")
    | project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
);
WebEvents
| join kind=inner (ProcessEvents) on $left.DestinationIP == $right.DeviceIP
| project TimeGenerated, SourceIP, DeviceName, RequestURL, ProcessCommandLine

Velociraptor VQL

This Velociraptor artifact hunts for processes on the Docker host or within the container environment where the parent process is a web server and the child is a shell. It also checks for the presence of vulnerable Dockwatch versions.

VQL — Velociraptor
-- Hunt for web servers spawning shells (RCE indicator)
SELECT Pid, Ppid, Name, Exe, Username, StartTime, CommandLine
FROM pslist()
WHERE Ppid IN (
    SELECT Pid FROM pslist() WHERE Name =~ 'apache' OR Name =~ 'httpd' OR Name =~ 'nginx' OR Name =~ 'php'
)
AND Name =~ 'sh'

-- Check for vulnerable Dockwatch container images
SELECT ContainerId, Image, ImageID, Created, Command, State
FROM containers()
WHERE Image =~ 'dockwatch'
-- Note: Specific version regex parsing from image tags may be required for exact ID match

Remediation Script (Bash)

The following bash script assists in identifying vulnerable Dockwatch deployments and provides immediate containment steps by checking the Docker socket exposure and running containers.

Bash / Shell
#!/bin/bash

# CVE-2026-58455 Remediation Script
# Identifies vulnerable Dockwatch containers and checks Docker socket mounts

echo "[*] Scanning for vulnerable Dockwatch instances (CVE-2026-58455)..."

# Find running Dockwatch containers
VULNERABLE_CONTAINERS=$(docker ps --filter "ancestor=dockwatch" --format "{{.ID}}")

if [ -z "$VULNERABLE_CONTAINERS" ]; then
    echo "[+] No running Dockwatch containers found based on ancestor name."
else
    echo "[!] WARNING: Found Dockwatch containers running. Check versions manually."
    docker ps --filter "ancestor=dockwatch" --format "table {{.ID}}\t{{.Image}}\t{{.Status}}\t{{.Ports}}"
    
    echo "[!] Checking for Docker socket mounts..."
    for CONTAINER_ID in $VULNERABLE_CONTAINERS; do
        MOUNTS=$(docker inspect --format='{{range .Mounts}}{{if eq .Destination "/var/run/docker.sock"}}{{.Source}}{{end}}{{end}}' $CONTAINER_ID)
        if [ ! -z "$MOUNTS" ]; then
            echo "[CRITICAL] Container $CONTAINER_ID has Docker socket mounted at $MOUNTS. This increases risk significantly."
        fi
    done
fi

echo "[*] Recommended Actions:"
echo "1. Update Dockwatch to version > 0.6.567 immediately."
echo "2. If immediate patching is impossible, stop the container: docker stop <container_id>"
echo "3. Review network exposure; ensure Dockwatch is not accessible from the public internet."
echo "4. If updating, pull the latest image: docker pull dockwatch:latest"

Remediation

1. Immediate Patching:

SQL
Update Dockwatch to the latest version immediately. Versions **0.6.567 and below** are vulnerable. Verify with your vendor that the updated version addresses the `loader.php` logic flaw and sanitizes inputs in `ajax/compose.php`.

2. Network Segmentation: Dockwatch interfaces should never be exposed to the public internet. Restrict access to internal IP ranges only (e.g., via VPN or internal subnet) using firewall rules or cloud security groups.

3. Container Hardening: Review the deployment configuration for Dockwatch. If the Docker socket (/var/run/docker.sock) is mounted, ensure it is strictly necessary. If monitoring is required, consider using tools that adhere to the principle of least privilege rather than granting raw socket access. If the socket must be mounted, ensure the host file system permissions on the socket are restrictive, though this offers limited protection against container-escape attacks.

4. Vendor Advisory: Refer to the official NVD entry and the Dockwatch vendor's release notes for confirmation of the patch: NVD CVE-2026-58455.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cve-2026-58455criticalcvezero-daypatch-tuesdayexploitvulnerability-disclosuredockwatchdockercommand-injection

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.