EXECUTIVE SUMMARY:
CVE-2026-44985 with a CVSS score of 7.5 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the dozzle application, affecting versions of the go/github.com/amir20/dozzle package up to 10.5.1. The vulnerability arises from the WebSocket upgrader for the /exec and /attach endpoints accepting upgrade requests from any origin, combined with the JWT cookie using SameSite: Lax, which enables CSWSH even when authentication is properly configured. An attacker hosting a page on a same-site origin can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This capability allows the attacker to perform unauthorized actions within the victim's authorized containers. The business impact and consequences of a successful exploit include unauthorized access to sensitive data, disruption of business operations, and potential financial loss. The vulnerability requires the attacker to have a page on the same site as the victim's session and to be able to send a WebSocket request with the victim's valid JWT cookie.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44985 with a CVSS score of 7.5 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the dozzle application, affecting versions of the go/github.com/amir20/dozzle package up to 10.5.1. The vulnerability arises from the WebSocket upgrader for the /exec and /attach endpoints accepting upgrade requests from any origin, combined with the JWT cookie using SameSite: Lax, which enables CSWSH even when authentication is properly configured. An attacker hosting a page on a same-site origin can initiate a WebSocket connection to the exec endpoint that carries the victim's valid JWT cookie, gaining interactive shell access in any container the victim is authorized to access. This capability allows the attacker to perform unauthorized actions within the victim's authorized containers. The business impact and consequences of a successful exploit include unauthorized access to sensitive data, disruption of business operations, and potential financial loss. The vulnerability requires the attacker to have a page on the same site as the victim's session and to be able to send a WebSocket request with the victim's valid JWT cookie.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-j643-x8pv-8m67