CVE-2026-24740

Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1	Patch
https://github.com/amir20/dozzle/releases/tag/v9.0.3	Product Release Notes
https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:amirraminfar:dozzle:*:*:*:*:*:docker:*:*

History

17 Jun 2026, 10:23

Type	Values Removed	Values Added
Summary		(es) Dozzle es un visor de logs en tiempo real para contenedores Docker. Antes de la versión 9.0.3, una falla en los puntos finales de shell respaldados por agente de Dozzle permite a un usuario restringido por filtros de etiquetas (por ejemplo, 'label=env=dev') obtener un shell root interactivo en contenedores fuera de alcance (por ejemplo, 'env=prod') en el mismo host de agente al apuntar directamente a sus IDs de contenedor. La versión 9.0.3 contiene un parche para el problema.

19 Feb 2026, 21:30

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.9
CPE		cpe:2.3:a:amirraminfar:dozzle::::::docker::*
References	~~() https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1 -~~	() https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1 - Patch
References	~~() https://github.com/amir20/dozzle/releases/tag/v9.0.3 -~~	() https://github.com/amir20/dozzle/releases/tag/v9.0.3 - Product, Release Notes
References	~~() https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5 -~~	() https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5 - Exploit, Mitigation, Vendor Advisory
First Time		Amirraminfar Amirraminfar dozzle

27 Jan 2026, 21:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-27 21:16

Updated : 2026-06-17 10:23

NVD link : CVE-2026-24740

Mitre link : CVE-2026-24740

CVE.ORG link : CVE-2026-24740

JSON object : View

Products Affected

amirraminfar

dozzle

CWE

CWE-284

Improper Access Control

CWE-863

Incorrect Authorization

9.9 /10