VDB
GCVE-110-OSM-2026-1206
GCVE-110-OSM-2026-1206
Advisory PublishedCVSS 9.6/10
Performs a Docker container escape recon (reads /proc/self/status capabilities, /proc/1/root host filesystem, /sys/fs/cgroup/release_agent), queries the Hetzner cloud metadata service at 169.254.169.254 for the server's hostname, public IP, private network config, instance ID, region, and user-data script. Attempts SSH brute force to the Docker host (172.17.0.1) with passwords ['1QKtYPp18UsyU2ZwInVM', 'root', ''] across users root/ubuntu/node/strapi. Exfiltrates Linux capabilities, cgroup struct
postinstall.js (161 lines): (1) Reads container capabilities: /proc/self/status (CapPrm, CapEff, CapBnd), seccomp status — determines if running privileged. (2) Checks /proc/1/root filesystem access (host escape via pid 1 namespace). (3) Reads /sys/fs/cgroup/release_agent for cgroup escape vector. (4) Tests if privileged via 'ip link add dummy0 type dummy'. (5) SSH brute force: sshpass -p '1QKtYPp18UsyU2ZwInVM' ssh -p 22/2020 root/ubuntu/node/strapi@172.17.0.1. (6) Full Hetzner IMDS enumeration. (7) Scans Docker bridge 172.17.0.1-172.17.0.20 on 11 ports via curl. (8) Attempts host filesystem reads via /proc/1/root/opt/secrets/, /proc/1/root/etc/shadow, /proc/1/root/root/.ssh/.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | strapi-plugin-guardarian-ext | 3.6.8 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.