{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/amir20/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["dozzle (\u003c= 10.5.1)"],"_cs_severities":["high"],"_cs_tags":["cswsh","websocket","authentication-bypass"],"_cs_type":"advisory","_cs_vendors":["github.com","amir20"],"content_html":"\u003cp\u003eDozzle, a real-time log viewer for Docker containers, is susceptible to a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. The vulnerability exists due to the \u003ccode\u003eCheckOrigin\u003c/code\u003e function in the WebSocket upgrader being overridden to always return true, effectively disabling cross-origin protection. Combined with the use of \u003ccode\u003eSameSite=Lax\u003c/code\u003e for the JWT cookie, an attacker hosting a malicious page on the same site (e.g., a sibling subdomain or another service on localhost) can exploit this to gain unauthorized access. This allows the attacker to establish a WebSocket connection to the \u003ccode\u003e/exec\u003c/code\u003e or \u003ccode\u003e/attach\u003c/code\u003e endpoints using the victim\u0026rsquo;s valid JWT cookie, granting them interactive shell access to any container the victim is authorized to access. This vulnerability, tracked as CVE-2026-44985, affects Dozzle versions up to and including 10.5.1. Even deployments with authentication properly configured are vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker hosts a malicious page on a domain that shares the same site as the vulnerable Dozzle instance (e.g., \u003ccode\u003eattacker.example.com\u003c/code\u003e if Dozzle is on \u003ccode\u003edozzle.example.com\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eA victim who is authenticated to Dozzle visits the attacker\u0026rsquo;s page in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s webpage executes JavaScript that initiates a WebSocket connection to the Dozzle server, specifically targeting the \u003ccode\u003e/api/hosts/{host}/containers/{id}/exec\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser automatically includes the JWT cookie in the WebSocket request because the attacker\u0026rsquo;s page is on the same site and the cookie\u0026rsquo;s \u003ccode\u003eSameSite\u003c/code\u003e attribute is set to \u003ccode\u003eLax\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDozzle\u0026rsquo;s WebSocket upgrader bypasses the origin check because the \u003ccode\u003eCheckOrigin\u003c/code\u003e function is configured to always return \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Dozzle server validates the JWT cookie, authenticating the WebSocket connection as the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker now has an interactive shell session within the victim\u0026rsquo;s authorized containers.\u003c/li\u003e\n\u003cli\u003eThe attacker can then execute arbitrary commands within the container, potentially leading to sensitive information disclosure or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this CSWSH vulnerability allows an attacker to execute arbitrary commands within Docker containers that the victim has access to. This can lead to the compromise of sensitive data, such as secrets, environment variables, and files stored within the containers. Furthermore, an attacker can potentially pivot to other services accessible from the container\u0026rsquo;s network, potentially escalating the attack. If the Docker socket is mounted with write permissions, the attacker might even be able to escape the container and compromise the host system.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Dozzle to a version greater than 10.5.1 to remediate CVE-2026-44985.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Dozzle CSWSH Attempt via Origin Header\u003c/code\u003e to identify potential exploitation attempts by monitoring WebSocket connections with mismatched Origin headers, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eApply the suggested fix by removing the custom \u003ccode\u003eCheckOrigin\u003c/code\u003e override in Dozzle\u0026rsquo;s source code, reverting to the default gorilla/websocket behavior, which rejects cross-origin requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:08:12Z","date_published":"2026-05-11T14:08:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dozzle-cswsh/","summary":"Dozzle is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) due to a permissive CheckOrigin configuration and the use of SameSite=Lax for JWT cookies, allowing attackers on the same site to gain shell access to containers even with authentication enabled, tracked as CVE-2026-44985.","title":"Dozzle Cross-Site WebSocket Hijacking (CSWSH) Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-dozzle-cswsh/"}],"language":"en","title":"CraftedSignal Threat Feed — Amir20","version":"https://jsonfeed.org/version/1.1"}