CVE-2026-45298
Published: 26 May 2026
Summary
CVE-2026-45298 is a high-severity SSRF (CWE-918) vulnerability in Amirraminfar Dozzle. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Dozzle, a realtime log viewer for Docker containers, is affected by an unauthenticated server-side request forgery vulnerability in all versions prior to 10.5.2 when deployed with the documented quickstart configuration that leaves DOZZLE_AUTH_PROVIDER unset. The flaw resides in the POST /api/notifications/test-webhook endpoint, which accepts an attacker-supplied URL and headers, passes them to WebhookDispatcher for an outbound HTTP POST, and returns both the response status code and up to 1 MB of the response body whenever the target returns a non-2xx status. The issue is tracked as CWE-918 and carries a CVSS 3.1 score of 8.6.
An unauthenticated remote attacker can invoke the endpoint directly over the network to force Dozzle to issue arbitrary HTTP requests to internal or external targets while retrieving portions of the resulting responses. This enables reconnaissance of non-public services, exfiltration of limited response data, or interaction with systems that trust requests originating from the Dozzle host.
The vulnerability is resolved in release 10.5.2. The project’s GitHub security advisory GHSA-3v9w-6365-9w54 and corresponding release notes recommend upgrading immediately and, for users who cannot upgrade, explicitly configuring an authentication provider to restrict access to the notifications API.
EPSS remains flat at 0.0283 with no material increase since disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
No EU or UK CSIRT advisories indexed for this CVE.
Vulnerability details
Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an…
more
HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF via unauthenticated public endpoint enabling arbitrary outbound HTTP requests to attacker-controlled URLs.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication on the /api/notifications/test-webhook endpoint, blocking the unauthenticated SSRF requests that exist when DOZZLE_AUTH_PROVIDER is unset.
Requires identification and authentication before any remote user can invoke the webhook test endpoint, eliminating the default unauthenticated exposure.
Enforces boundary protection and outbound traffic controls that can restrict or monitor the arbitrary HTTP requests issued by WebhookDispatcher to internal or external targets.