{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-45298/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dozzle"],"_cs_severities":["high"],"_cs_tags":["ssrf","dozzle","cve-2026-45298"],"_cs_type":"advisory","_cs_vendors":["amir20"],"content_html":"\u003cp\u003eDozzle, a real-time log viewer for Docker containers, is vulnerable to a Server-Side Request Forgery (SSRF) attack (CVE-2026-45298) via the \u003ccode\u003e/api/notifications/test-webhook\u003c/code\u003e endpoint. This endpoint is exposed without authentication in default deployments where the \u003ccode\u003eDOZZLE_AUTH_PROVIDER\u003c/code\u003e environment variable is not set. An attacker can exploit this vulnerability to send arbitrary HTTP POST requests to internal or external resources accessible from the Dozzle host. The application reflects the response body, up to 1MB, back to the attacker, enabling the retrieval of sensitive information from internal services, cloud metadata endpoints, or other reachable targets. This affects Dozzle version 8.14.12 and earlier.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Dozzle instance running with the default no-authentication configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003e/api/notifications/test-webhook\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request body includes a JSON payload containing the \u003ccode\u003eurl\u003c/code\u003e parameter, which specifies the target URL for the SSRF attack. The \u003ccode\u003eheaders\u003c/code\u003e parameter can be used to inject arbitrary headers into the outgoing request.\u003c/li\u003e\n\u003cli\u003eThe Dozzle server receives the request and, due to the lack of authentication, processes the request without validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eWebhookDispatcher\u003c/code\u003e creates an HTTP POST request to the attacker-specified URL, including the attacker-provided headers.\u003c/li\u003e\n\u003cli\u003eThe Dozzle server sends the crafted HTTP request to the target URL.\u003c/li\u003e\n\u003cli\u003eIf the target URL responds with a non-2xx status code, the server reads up to 1MB of the response body.\u003c/li\u003e\n\u003cli\u003eThe server includes the status code and the response body in the JSON response to the attacker, exposing sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to read data from internal services, potentially exposing sensitive information such as configuration details, API keys, or internal documents. It also allows probing for the existence of internal resources and potentially injecting headers into requests to internal services. This can lead to further compromise of internal systems.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRefuse \u003ccode\u003etest-webhook\u003c/code\u003e requests when \u003ccode\u003eAuthorization.Provider\u003c/code\u003e is set to \u003ccode\u003eNONE\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement SSRF hardening for \u003ccode\u003eWebhookDispatcher\u003c/code\u003e by validating and sanitizing the input URL, resolving the host IP address via \u003ccode\u003enet.LookupIP\u003c/code\u003e, refusing private, loopback, link-local, and CGNAT addresses, pinning the \u003ccode\u003ehttp.Transport.DialContext\u003c/code\u003e to the resolved IP address, and refusing non-HTTP(S) schemes, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eDisable the reflection of the response body in the \u003ccode\u003etestWebhook\u003c/code\u003e handler. Modify the handler to only return the \u003ccode\u003eSuccess\u003c/code\u003e boolean and \u003ccode\u003eStatusCode\u003c/code\u003e integer values, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to the \u003ccode\u003e/api/notifications/test-webhook\u003c/code\u003e endpoint with suspicious URLs (internal IPs, cloud metadata endpoints) in the request body and deploy the Sigma rule \u003ccode\u003eDetect Dozzle SSRF Attempt via test-webhook\u003c/code\u003e to identify exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T16:42:39Z","date_published":"2026-05-18T16:42:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dozzle-ssrf/","summary":"Dozzle is vulnerable to a pre-authentication Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-45298) in the default no-auth deployment that can expose internal resources.","title":"Dozzle Pre-Auth SSRF Vulnerability via /api/notifications/test-webhook (CVE-2026-45298)","url":"https://feed.craftedsignal.io/briefs/2026-05-dozzle-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-45298","version":"https://jsonfeed.org/version/1.1"}