Description
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.
Published: 2026-05-26
Score: 8.6 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dozzle allows unauthenticated clients to access POST /api/notifications/test-webhook, which forwards an attacker-specified URL and optional headers to an external service. The response status and up to 1 MB of the response body are returned when the target replies with a non‑2xx status code. This lets an attacker trigger outbound requests to arbitrary hosts, potentially exposing internal network services and leaking sensitive data contained in the response body (inferred).

Affected Systems

The vulnerability affects Dozzle version 10.5.x and earlier when deployed with Docker’s default quickstart using no authentication (DOZZLE_AUTH_PROVIDER not set). Users running Dozzle 10.5.1 or earlier with unconstrained access to the /api/notifications/test-webhook endpoint are impacted.

Risk and Exploitability

With a CVSS score of 8.6, this SSRF is considered high severity. The EPSS score is 3%, indicating a moderate probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Because the endpoint is reachable without authentication in the default configuration, any host that can reach the Dozzle service can send a POST request to the test‑webhook URL, triggering a backend request to an attacker‑controlled host and exposing up to 1 MB of that response. If the internal network hosts sensitive services, the attacker could discover them or exfiltrate data, making exploitation highly advantageous for a threat actor (inferred).

Generated by OpenCVE AI on June 10, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Dozzle to version 10.5.2 or later.
  • Secure the Dozzle service by enforcing authentication or restricting access to the /api/notifications/test-webhook endpoint to trusted IP addresses or networks.
  • If possible, disable or remove the webhook test functionality so that the endpoint is no longer exposed.
  • Continuously monitor outbound network traffic and logs from the Docker host for unexpected requests to external hosts.

Generated by OpenCVE AI on June 10, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3v9w-6365-9w54 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)
History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Amirraminfar
Amirraminfar dozzle
CPEs cpe:2.3:a:amirraminfar:dozzle:*:*:*:*:*:docker:*:*
Vendors & Products Amirraminfar
Amirraminfar dozzle

Wed, 27 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Amir20
Amir20 dozzle
Vendors & Products Amir20
Amir20 dozzle

Tue, 26 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.
Title Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Amir20 Dozzle
Amirraminfar Dozzle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T14:23:39.845Z

Reserved: 2026-05-11T20:14:43.201Z

Link: CVE-2026-45298

cve-icon Vulnrichment

Updated: 2026-05-27T14:23:29.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-26T22:16:43.733

Modified: 2026-05-29T19:23:33.280

Link: CVE-2026-45298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:15:07Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)