DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24740: Dozzle Dazzled: Skipping the Velvet Rope with CVE-2026-24740

#security #cve #cybersecurity

Dozzle Dazzled: Skipping the Velvet Rope with CVE-2026-24740

Vulnerability ID: CVE-2026-24740
CVSS Score: 8.8
Published: 2026-01-27

A critical authorization bypass in Dozzle's agent service allows restricted users to access any container by ID, effectively rendering Label-Based Access Control (LBAC) useless for direct lookups.

TL;DR

Dozzle v9.0.2 implemented access control on the front door but left the back window open. While the UI filtered which containers you could see in a list, the backend API for retrieving a specific container by ID completely ignored your access permissions. This allows any authenticated user to access, view logs, and execute commands on any container managed by Dozzle agents, regardless of their assigned restrictions.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-285
  • Attack Vector: Network
  • CVSS: 8.8 (High)
  • Impact: Confidentiality, Integrity, Availability
  • Exploit Status: PoC Available
  • Architecture: Agent/Client gRPC

Affected Systems

  • Dozzle (Docker Log Viewer)
  • Dozzle: <= 9.0.2 (Fixed in: 9.0.3)

Code Analysis

Commit: 620e59a

Fix: propagate container filter to agent client for FindContainer

func (c *Client) FindContainer(ctx context.Context, id string, labels container.ContainerLabels) (container.Container, error) { ... }
Enter fullscreen mode Exit fullscreen mode

Commit: 58caca2

Fix: Avoid log.Fatal on malformed container filter input

- log.Fatal(err)
+ log.Warn(err)
+ http.Error(w, err.Error(), http.StatusBadRequest)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Internal Research: Code diff analysis reveals trivial bypass via agent service API.

Mitigation Strategies

  • Upgrade Immediately
  • Hardening Proxy Headers
  • Audit Access Logs

Remediation Steps:

  1. Pull the latest Dozzle image: docker pull amir20/dozzle:latest
  2. Verify you are running at least version v9.0.3.
  3. If you rely on a reverse proxy for authentication (Proxy Auth), ensure that the headers providing user information cannot be set by the client.

References

Read the full report for CVE-2026-24740 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)