CVE-2026-24841

CriticalPublic PoC

Published: 28 January 2026

Published

28 January 2026

Modified

04 February 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0011 29.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing…

authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted inputs like containerId and activeWay before interpolation into shell commands, directly preventing command injection exploits.

SI-2 Flaw Remediation good match

prevent

Mandates identification, reporting, and correction of flaws such as this command injection vulnerability, enabling timely patching to version 0.26.6 or later.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on the Dokploy process handling WebSocket requests, limiting the scope and impact of arbitrary host commands executed via injection.

Security SummaryAI

CVE-2026-24841 is a critical command injection vulnerability (CWE-78) in Dokploy, a free self-hostable Platform as a Service (PaaS). It affects versions prior to 0.26.6 and exists in the WebSocket endpoint `/docker-container-terminal`, where the `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and scope change (S:C). Exploitation enables execution of arbitrary commands on the host server, resulting in high confidentiality and integrity impacts alongside low availability impact, as reflected in the CVSS 3.1 score of 9.9.

Dokploy version 0.26.6 addresses the issue. The GitHub security advisory (GHSA-vx6x-6559-x35r) details the vulnerability, the commit 74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f provides the fix, and the source code at apps/dokploy/server/wss/docker-container-terminal.ts shows the affected implementation. Practitioners should upgrade to 0.26.6 or later.

Details

CWE(s): CWE-78

Affected Products

dokploy

≤ 0.26.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of public-facing web app (T1190) via command injection in WebSocket endpoint, facilitating Unix shell execution (T1059.004) and privilege escalation from low-priv auth to host RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts
Product · security-advisories@github.com
https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f
Patch · security-advisories@github.com
https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r
Exploit, Vendor Advisory, Mitigation · security-advisories@github.com