Amir20 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/amir20/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioMon, 11 May 2026 14:08:12 +0000Dozzle Cross-Site WebSocket Hijacking (CSWSH) Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-dozzle-cswsh/Mon, 11 May 2026 14:08:12 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-dozzle-cswsh/Dozzle is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) due to a permissive CheckOrigin configuration and the use of SameSite=Lax for JWT cookies, allowing attackers on the same site to gain shell access to containers even with authentication enabled, tracked as CVE-2026-44985.Dozzle, a real-time log viewer for Docker containers, is susceptible to a Cross-Site WebSocket Hijacking (CSWSH) vulnerability. The vulnerability exists due to the CheckOrigin function in the WebSocket upgrader being overridden to always return true, effectively disabling cross-origin protection. Combined with the use of SameSite=Lax for the JWT cookie, an attacker hosting a malicious page on the same site (e.g., a sibling subdomain or another service on localhost) can exploit this to gain unauthorized access. This allows the attacker to establish a WebSocket connection to the /exec or /attach endpoints using the victim’s valid JWT cookie, granting them interactive shell access to any container the victim is authorized to access. This vulnerability, tracked as CVE-2026-44985, affects Dozzle versions up to and including 10.5.1. Even deployments with authentication properly configured are vulnerable.

Attack Chain

  1. The attacker hosts a malicious page on a domain that shares the same site as the vulnerable Dozzle instance (e.g., attacker.example.com if Dozzle is on dozzle.example.com).
  2. A victim who is authenticated to Dozzle visits the attacker’s page in their browser.
  3. The attacker’s webpage executes JavaScript that initiates a WebSocket connection to the Dozzle server, specifically targeting the /api/hosts/{host}/containers/{id}/exec endpoint.
  4. The victim’s browser automatically includes the JWT cookie in the WebSocket request because the attacker’s page is on the same site and the cookie’s SameSite attribute is set to Lax.
  5. Dozzle’s WebSocket upgrader bypasses the origin check because the CheckOrigin function is configured to always return true.
  6. The Dozzle server validates the JWT cookie, authenticating the WebSocket connection as the victim.
  7. The attacker now has an interactive shell session within the victim’s authorized containers.
  8. The attacker can then execute arbitrary commands within the container, potentially leading to sensitive information disclosure or further exploitation.

Impact

Successful exploitation of this CSWSH vulnerability allows an attacker to execute arbitrary commands within Docker containers that the victim has access to. This can lead to the compromise of sensitive data, such as secrets, environment variables, and files stored within the containers. Furthermore, an attacker can potentially pivot to other services accessible from the container’s network, potentially escalating the attack. If the Docker socket is mounted with write permissions, the attacker might even be able to escape the container and compromise the host system.

Recommendation

  • Upgrade Dozzle to a version greater than 10.5.1 to remediate CVE-2026-44985.
  • Deploy the Sigma rule Detect Dozzle CSWSH Attempt via Origin Header to identify potential exploitation attempts by monitoring WebSocket connections with mismatched Origin headers, and tune it for your environment.
  • Apply the suggested fix by removing the custom CheckOrigin override in Dozzle’s source code, reverting to the default gorilla/websocket behavior, which rejects cross-origin requests.
]]>highadvisorycswshwebsocketauthentication-bypass