CVE-2026-24840
Published: 28 January 2026
Summary
CVE-2026-24840 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Dokploy Dokploy. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates changing default authenticators prior to first use, protecting them from unauthorized disclosure, and ensuring sufficient strength, directly preventing the use of hardcoded database credentials shared across Dokploy installations.
SI-2 requires timely identification, reporting, and correction of system flaws, including patching Dokploy to version 0.26.6 or later to eliminate the hardcoded credential in the installation script.
CM-6 establishes and enforces secure configuration settings for system components like database containers, preventing reliance on hardcoded passwords from the Dokploy installation script.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded DB credentials embedded in publicly accessible install.sh enable direct credential discovery from files (T1552.001) and subsequent authentication with valid accounts to the DB container (T1078).
NVD Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that…
more
nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.
Deeper analysisAI
CVE-2026-24840 is a use of hard-coded credentials vulnerability (CWE-798) in Dokploy, a free self-hostable Platform as a Service (PaaS). It affects versions prior to 0.26.6 due to a hardcoded password in the installation script at https://dokploy.com/install.sh (line 154), which is used when creating the database container. This configuration causes nearly all Dokploy installations to share the same database credentials, exposing them to potential compromise. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with adjacent network access (AV:A) and low privileges (PR:L) can exploit the shared hardcoded database credentials with low complexity and no user interaction. Successful exploitation grants high-impact access to the database container, enabling confidentiality breaches, integrity modifications, and availability disruptions (C:H/I:H/A:H) on affected Dokploy instances.
Mitigation is available in Dokploy version 0.26.6, which patches the hardcoded credential in the installation script, as detailed in the GitHub security advisory (GHSA-jr65-3j3w-gjmc) and the fixing commit (b902c160a256ad345ac687c87eb092f1fab2c64d). Security practitioners should upgrade to 0.26.6 or later and review existing installations for the shared credentials.
Details
- CWE(s)