Description
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.
Published: 2026-05-26
Score: 8.6 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dozzle allows unauthenticated clients to access POST /api/notifications/test-webhook, which forwards an attacker‑specified URL and optional headers to an external service. The response status and up to 1 MB of the response body are returned when the target replies with a non‑2xx status code. This enables an attacker to trigger outbound requests to arbitrary hosts and receive sensitive data from the response body, thereby exposing internal network services and leaking potentially confidential information.

Affected Systems

The vulnerability affects Dozzle version 10.5.x and earlier when deployed with Docker’s default quickstart using no authentication (DOZZLE_AUTH_PROVIDER not set). Users running Dozzle 10.5.1 or earlier with unconstrained access to the /api/notifications/test-webhook endpoint are impacted.

Risk and Exploitability

With a CVSS score of 8.6, this SSRF is considered high severity. The EPSS score of 1% indicates a lower probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Because the endpoint is reachable without authentication in the default configuration, any host that can reach the Dozzle service can send a POST request to the test‑webhook URL, triggering a backend request to an attacker‑controlled host and exposing up to 1 MB of that response. If internal network hosts contain sensitive services, the attacker could discover them or exfiltrate data, making exploitation highly advantageous for a threat actor (inferred).

Generated by OpenCVE AI on June 18, 2026 at 13:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Dozzle to version 10.5.2 or later to eliminate the CWE‑918 weakness.
  • Implement strict input validation and enforce a whitelist of allowed outbound URLs for the webhook dispatcher to prevent arbitrary HTTP requests.
  • Enforce authentication or restrict network access to the /api/notifications/test-webhook endpoint so that only trusted users or IP ranges can invoke the feature.
  • If feasible, disable or remove the webhook test functionality to eliminate the exposure entirely.

Generated by OpenCVE AI on June 18, 2026 at 13:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3v9w-6365-9w54 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)
History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Amirraminfar
Amirraminfar dozzle
CPEs cpe:2.3:a:amirraminfar:dozzle:*:*:*:*:*:docker:*:*
Vendors & Products Amirraminfar
Amirraminfar dozzle

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Amir20
Amir20 dozzle
Vendors & Products Amir20
Amir20 dozzle

Tue, 26 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.
Title Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}


Subscriptions

Amir20 Dozzle
Amirraminfar Dozzle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T14:23:39.845Z

Reserved: 2026-05-11T20:14:43.201Z

Link: CVE-2026-45298

cve-icon Vulnrichment

Updated: 2026-05-27T14:23:29.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T22:16:43.733

Modified: 2026-06-17T10:51:53.200

Link: CVE-2026-45298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)