CVE-2026-45298

Name of the Vulnerable Software and Affected Versions Dozzle versions prior to 10.5.2

Description In default deployments where no DOZZLE AUTH PROVIDER is set, the endpoint 'POST /api/notifications/test-webhook' is accessible without authentication. This allows an unauthenticated attacker to perform a full-reflection Server-Side Request Forgery (SSRF), which is a flaw where a server is tricked into making requests to internal or external resources. The attacker can provide a controlled URL and request headers via the URL and Headers variables, which are then processed by the WebhookDispatcher and the testWebhook() function.

If the target server responds with a non-2xx status code, the system returns the response status code and up to 1MB of the response body to the caller. This can be exploited to probe internal networks, access private subnets, reach loopback services, or retrieve sensitive information from cloud metadata services (IMDS). Additionally, the ability to control request headers allows for header injection against downstream internal services.

Recommendations Update to version 10.5.2 or later. As a temporary workaround, configure the DOZZLE AUTH PROVIDER variable to enable authentication and restrict access to the 'POST /api/notifications/test-webhook' endpoint.