CVE-2026-45298: Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

May 18, 2026 (updated June 8, 2026)

In a default dozzle deploy (the documented quickstart, no DOZZLE_AUTH_PROVIDER set), POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that:

Sends an HTTP POST to the supplied URL with attacker-controlled request headers, and
Returns the response status code AND up to 1MB of the response body to the caller, when the target replies non-2xx.

This is a classic full-reflection SSRF, pre-auth, against any IP/port that dozzle’s host can route to — including private subnets, link-local cloud metadata, and loopback services.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-45298 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →