Description
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (e.g., a sibling subdomain, or another service on localhost) can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This vulnerability is fixed in 10.5.2.
Published: 2026-05-26
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dozzle’s WebSocket upgrade handler for the /exec and /attach endpoints accepted connections from any origin because CheckOrigin always returned true. Coupled with a JWT cookie that had SameSite set to Lax, this allowed a malicious page hosted on a subdomain or localhost to initiate a WebSocket connection to the exec endpoint. The victim’s cookie was automatically sent, giving the attacker an interactive shell inside any container the victim could access. The attacker can then run arbitrary commands within the container, read or modify data, and potentially move laterally within the host environment. The vulnerability is a classic example of Cross‑Site WebSocket Hijacking (CWE‑346).

Affected Systems

The affected product is Dozzle, a real‑time Docker log viewer, with all releases prior to v10.5.2 vulnerable. Versions v10.5.2 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity and the possibility of critical impact on confidentiality, integrity, and availability. EPSS information is not available, so the exploitation probability cannot be quantified, but the vulnerability is actively referenced in advisory links. The vulnerability is not listed in CISA’s KEV catalog, yet an attacker can realistically exploit it from a same‑site subdomain or an attacker‑controlled localhost service. The attack requires only that the victim has a valid JWT cookie and that the victim visits a malicious page that initiates the WebSocket connection. Once the connection is established, the attacker gains shell access to the container. The lack of a pre-existing network barrier makes this exploitation straightforward for an authenticated user or any user who can access the Dozzle interface.

Generated by OpenCVE AI on May 26, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dozzle to version 10.5.2 or later to apply the fixed CheckOrigin handler that rejects cross‑origin requests.
  • After upgrade, verify that the JWT cookie retains SameSite=Lax only for first‑party requests and that no other origin can set the cookie.
  • As a temporary defensive measure, restrict access to the /exec and /attach WebSocket endpoints by firewall rules or by requiring a static token that whitelists the client origin, effectively preventing cross‑origin hijacking until a patch is applied.

Generated by OpenCVE AI on May 26, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j643-x8pv-8m67 Dozzle's Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpointsbypasses authentication
History

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Amirraminfar
Amirraminfar dozzle
CPEs cpe:2.3:a:amirraminfar:dozzle:*:*:*:*:*:docker:*:*
Vendors & Products Amirraminfar
Amirraminfar dozzle
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Amir20
Amir20 dozzle
Vendors & Products Amir20
Amir20 dozzle

Tue, 26 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, he WebSocket upgrader for the /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin. Combined with the JWT cookie using SameSite: Lax, this enables Cross-Site WebSocket Hijacking (CSWSH). An attacker hosting a page on a same-site origin (e.g., a sibling subdomain, or another service on localhost) can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This vulnerability is fixed in 10.5.2.
Title Dozzle: Cross-Site WebSocket Hijacking (CSWSH) on exec/attach endpoints bypasses authentication
Weaknesses CWE-346
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Amir20 Dozzle
Amirraminfar Dozzle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T14:15:19.019Z

Reserved: 2026-05-08T16:23:33.265Z

Link: CVE-2026-44985

cve-icon Vulnrichment

Updated: 2026-05-28T14:15:12.972Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T22:16:43.587

Modified: 2026-05-29T19:30:05.600

Link: CVE-2026-44985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T00:00:16Z

Weaknesses