Cyber Resilience

CVE-2026-45298

HighPublic PoC

Published: 26 May 2026

Published
26 May 2026
Modified
29 May 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0149 70.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-45298 is a high-severity SSRF (CWE-918) vulnerability in Amirraminfar Dozzle. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Dozzle, a realtime log viewer for Docker containers, is affected by an unauthenticated server-side request forgery vulnerability in all versions prior to 10.5.2 when deployed with the documented quickstart configuration that leaves DOZZLE_AUTH_PROVIDER unset. The flaw resides in the POST /api/notifications/test-webhook endpoint, which accepts an attacker-supplied URL and headers, passes them to WebhookDispatcher for an outbound HTTP POST, and returns both the response status code and up to 1 MB of the response body whenever the target returns a non-2xx status. The issue is tracked as CWE-918 and carries a CVSS 3.1 score of 8.6.

An unauthenticated remote attacker can invoke the endpoint directly over the network to force Dozzle to issue arbitrary HTTP requests to internal or external targets while retrieving portions of the resulting responses. This enables reconnaissance of non-public services, exfiltration of limited response data, or interaction with systems that trust requests originating from the Dozzle host.

The vulnerability is resolved in release 10.5.2. The project’s GitHub security advisory GHSA-3v9w-6365-9w54 and corresponding release notes recommend upgrading immediately and, for users who cannot upgrade, explicitly configuring an authentication provider to restrict access to the notifications API.

EPSS remains flat at 0.0283 with no material increase since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that sends an…

more

HTTP POST to the supplied URL with attacker-controlled request headers, and returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx. This vulnerability is fixed in 10.5.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF via unauthenticated public endpoint enabling arbitrary outbound HTTP requests to attacker-controlled URLs.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-24740Same product: Amirraminfar Dozzle
CVE-2024-13195Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-69299Shared CWE-918
CVE-2026-42398Shared CWE-918
CVE-2026-7025Shared CWE-918
CVE-2025-2691Shared CWE-918
CVE-2025-21385Shared CWE-918
CVE-2026-6625Shared CWE-918

Affected Assets

amirraminfar
dozzle
≤ 10.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication on the /api/notifications/test-webhook endpoint, blocking the unauthenticated SSRF requests that exist when DOZZLE_AUTH_PROVIDER is unset.

prevent

Requires identification and authentication before any remote user can invoke the webhook test endpoint, eliminating the default unauthenticated exposure.

prevent

Enforces boundary protection and outbound traffic controls that can restrict or monitor the arbitrary HTTP requests issued by WebhookDispatcher to internal or external targets.

References