PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44985 amir20 CVE debrief

A critical Cross-Site WebSocket Hijacking (CSWSH) vulnerability in Dozzle, a real-time Docker log viewer, enables attackers to gain interactive shell access to containers by exploiting a permissive WebSocket origin check combined with lax cookie security. The vulnerability affects versions prior to 10.5.2 and was disclosed on 2026-05-26.

Vendor
amir20
Product
dozzle
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running Dozzle for container log monitoring and operations; security teams managing container platform access controls; developers building WebSocket-based administrative interfaces; DevOps engineers responsible for Docker runtime security

Technical summary

Dozzle versions prior to 10.5.2 contain a Cross-Site WebSocket Hijacking vulnerability in the /exec and /attach endpoints. The WebSocket upgrader accepts connections from any origin due to a permissive CheckOrigin function returning true for all requests. Combined with JWT cookies using SameSite: Lax, this allows attackers hosting content on same-site origins (sibling subdomains, other localhost services) to establish authenticated WebSocket connections using the victim's browser credentials. Successful exploitation grants interactive shell access to any container the victim is authorized to access. The vulnerability is classified as CWE-346 (Origin Validation Error) and carries a HIGH severity CVSS score of 8.7.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade Dozzle to version 10.5.2 or later to obtain the origin validation fix
  • Review WebSocket endpoint configurations in Go applications for permissive CheckOrigin implementations
  • Audit JWT cookie SameSite settings across applications; consider SameSite=Strict for sensitive operations
  • Implement additional origin validation at reverse proxy or WAF layer as defense-in-depth
  • Monitor for anomalous WebSocket connections to /exec and /attach endpoints in container environments
  • Review container runtime security policies to restrict unexpected interactive shell sessions

Evidence notes

The vulnerability stems from two implementation weaknesses: (1) the WebSocket upgrader for /exec and /attach endpoints uses CheckOrigin: func(r *http.Request) bool { return true }, accepting upgrade requests from any origin without validation; and (2) the JWT authentication cookie uses SameSite: Lax, allowing cross-site requests in certain navigation contexts. The CVSS 4.0 vector (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N) reflects network attack vector, low attack complexity, no privileges required, no user interaction, and high integrity impact. CWE-346 (Origin Validation Error) is the primary weakness classification. The fix in version 10.5.2 addresses the origin validation deficiency.

Official resources

2026-05-26