Executive Summary

This vulnerability exists in Dozzle, a realtime log viewer for Docker containers, in versions prior to 10.5.2. In a default deployment without authentication configured, the POST endpoint /api/notifications/test-webhook can be accessed without any authentication.

An attacker can supply a URL to this endpoint, which the application then forwards to a WebhookDispatcher. This dispatcher sends an HTTP POST request to the attacker-controlled URL, including attacker-controlled request headers.

If the target URL responds with a non-2xx status code, the application returns both the response status code and up to 1MB of the response body back to the attacker.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can be exploited by an attacker to perform server-side request forgery (SSRF), allowing them to make the Dozzle server send HTTP POST requests to arbitrary URLs with attacker-controlled headers.

The attacker can receive detailed responses including status codes and up to 1MB of response data from the targeted URLs, potentially exposing sensitive internal services or data.

Because the endpoint is accessible without authentication, this can be exploited remotely and without any privileges, increasing the risk of information disclosure or further attacks on internal networks.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Dozzle to version 10.5.2 or later, where the issue is fixed.

Additionally, avoid using the default deployment without authentication (i.e., do not leave DOZZLE_AUTH_PROVIDER unset) to prevent unauthorized access to the /api/notifications/test-webhook endpoint.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-45298 allows unauthenticated attackers to send HTTP POST requests to arbitrary URLs, including internal services, and receive up to 1MB of response data. This can lead to exposure of sensitive internal information such as intranet admin panel responses, cloud metadata, or internal hostnames.

Such exposure of sensitive information could potentially violate data protection regulations like GDPR or HIPAA, which require strict controls on access to and disclosure of personal or sensitive data.

Because the vulnerability arises from lack of authentication and allows information disclosure, affected deployments may fail to meet compliance requirements related to confidentiality and access control.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the POST /api/notifications/test-webhook endpoint is accessible without authentication on your Dozzle deployment.

A simple way to test this is to send an unauthenticated HTTP POST request to the endpoint and observe if it forwards the request to an attacker-controlled URL and returns response data.

Example command using curl to test the endpoint accessibility and behavior:

• curl -X POST http://<dozzle-host>:<port>/api/notifications/test-webhook -d '{"url":"http://attacker-controlled-url","headers":{"X-Test":"test"}}' -H 'Content-Type: application/json' -v

If the response includes the status code and up to 1MB of the response body from the supplied URL, and no authentication is required, your system is vulnerable.

Additionally, scanning your network for exposed Dozzle instances with this endpoint accessible without authentication can help detect vulnerable deployments.

Useful 0 Not Useful 0