CVE-2026-24740
Published: 27 January 2026
Summary
CVE-2026-24740 is a critical-severity Improper Access Control (CWE-284) vulnerability in Amirraminfar Dozzle. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly mitigating the improper enforcement of label filters in Dozzle's shell endpoints that allows targeting out-of-scope containers.
Validates container ID inputs to agent-backed shell endpoints against user label restrictions, preventing direct targeting exploits that bypass authorization checks.
Requires timely remediation of the specific access control flaw patched in Dozzle 9.0.3, eliminating the vulnerability to unauthorized root shell access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Dozzle web app (label filter bypass on shell endpoints) directly enables remote exploitation for unauthorized root shell access inside Docker containers (T1190); the resulting interactive Unix shell facilitates command execution (T1059.004) and may permit container-to-host breakout given root privileges (T1611).
NVD Description
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for…
more
example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue.
Deeper analysisAI
CVE-2026-24740 is a high-severity vulnerability in Dozzle, a realtime log viewer for Docker containers, affecting versions prior to 9.0.3. The flaw exists in Dozzle's agent-backed shell endpoints, where label-based filters (such as `label=env=dev`) fail to properly restrict access, allowing users to target container IDs directly and gain unauthorized entry into out-of-scope containers (such as `env=prod`) on the same agent host. It carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L) and maps to CWE-284 (Improper Access Control) and CWE-863 (Incorrect Authorization).
A low-privileged user (PR:L) with network access to a vulnerable Dozzle instance can exploit this issue without user interaction. By specifying the container ID of a restricted container on the same agent host, the attacker bypasses label filters to obtain an interactive root shell in that container, potentially leading to high-impact confidentiality and integrity compromises across scoped boundaries, with limited availability disruption.
Dozzle version 9.0.3 addresses the vulnerability with a targeted patch. Security practitioners should upgrade to this version or later. Key resources include the fixing commit at https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1, the release notes at https://github.com/amir20/dozzle/releases/tag/v9.0.3, and the GitHub security advisory at https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5.
Details
- CWE(s)