Description
Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out‑of‑scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5
Patch x_refsource_misc
https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1
Release Notes x_refsource_misc
https://github.com/amir20/dozzle/releases/tag/v9.0.3
Scores
CVSS v3
9.9
EPSS
0.0002
EPSS Percentile
6.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-284
CWE-863
Status
published
Products (2)
amir20/dozzle
0 - 1.29.1-0.20260125230338-620e59aa2463Go
amirraminfar/dozzle
< 9.0.3
Published
Jan 27, 2026
Tracked Since
Feb 18, 2026