CVE-2026-24740 – This vulnerability in Dozzle allows users restr... (How to Fix)

Q: What is the severity of CVE-2026-24740?

CVE-2026-24740 has a CVSS score of 9.9 (CRITICAL). This vulnerability in Dozzle allows users restricted by label filters to bypass container isolation and obtain interactive root shells in out-of-scope containers on the same agent host. Attackers can directly target container IDs they shouldn't have access to, potentially compromising production containers. All Dozzle deployments using agent-backed shell endpoints with label-based access controls are affected.

📋 TL;DR

This vulnerability in Dozzle allows users restricted by label filters to bypass container isolation and obtain interactive root shells in out-of-scope containers on the same agent host. Attackers can directly target container IDs they shouldn't have access to, potentially compromising production containers. All Dozzle deployments using agent-backed shell endpoints with label-based access controls are affected.

💻 Affected Systems

Products:

Dozzle

Versions: All versions prior to 9.0.3

Operating Systems: All platforms running Docker containers

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments using agent-backed shell endpoints with label-based access controls. The vulnerability exists in the access control logic for shell endpoints.

📦 What is this software?

Dozzle by Amirraminfar

View all CVEs affecting Dozzle →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full container escape leading to host compromise, lateral movement across containers, data exfiltration from production systems, and complete environment takeover.

🟠

Likely Case

Unauthorized access to production containers, privilege escalation within containers, potential data leakage, and disruption of production services.

🟢

If Mitigated

Limited to container-level access without host escape, contained by proper network segmentation and additional security controls.

🌐 Internet-Facing: HIGH if Dozzle is exposed to the internet, as attackers could bypass authentication and gain shell access to containers.

🏢 Internal Only: MEDIUM for internal deployments, as attackers would need internal network access first, but once in, could escalate privileges across containers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Dozzle but bypasses label-based restrictions. Attackers need to know or discover container IDs to target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.0.3

Vendor Advisory: https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5

Restart Required: Yes

Instructions:

1. Stop Dozzle service. 2. Update to version 9.0.3 or later using your package manager or Docker. 3. Restart Dozzle service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable agent-backed shell endpoints

all

Temporarily disable the vulnerable shell endpoints until patching is possible

docker run -d --name dozzle -v /var/run/docker.sock:/var/run/docker.sock -p 8080:8080 amir20/dozzle:latest --no-shell

Implement network segmentation

all

Isolate Dozzle from production containers using network policies

🧯 If You Can't Patch

Implement strict network segmentation between Dozzle and production containers
Disable shell access entirely and use read-only log viewing only

🔍 How to Verify

Check if Vulnerable:

Check Dozzle version: docker inspect dozzle | grep -i version. If version is below 9.0.3 and shell endpoints are enabled, you are vulnerable.

Check Version:

docker inspect dozzle | grep -i version

Verify Fix Applied:

Verify version is 9.0.3 or higher: docker inspect dozzle | grep -i version. Test that label-based restrictions properly prevent access to out-of-scope containers.

📡 Detection & Monitoring

Log Indicators:

Unauthorized shell access attempts to container IDs
Failed label validation logs
Unexpected shell sessions from Dozzle

Network Indicators:

Unexpected shell connections from Dozzle to production containers
SSH or shell traffic patterns from Dozzle agent

SIEM Query:

source="dozzle" AND (event="shell_access" OR event="container_exec") AND container_labels NOT CONTAINS expected_labels

📊 Metadata

CVE ID: CVE-2026-24740

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-284

EPSS Score: 0.04% exploit probability (12.2th percentile)

Published: January 27, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1 Patch
https://github.com/amir20/dozzle/releases/tag/v9.0.3 Product,Release Notes
https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24740, you might also want to check these: