CVE-2026-24841
Published: 28 January 2026
Summary
CVE-2026-24841 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dokploy Dokploy. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted inputs like containerId and activeWay before interpolation into shell commands, directly preventing command injection exploits.
Mandates identification, reporting, and correction of flaws such as this command injection vulnerability, enabling timely patching to version 0.26.6 or later.
Enforces least privilege on the Dokploy process handling WebSocket requests, limiting the scope and impact of arbitrary host commands executed via injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web app (T1190) via command injection in WebSocket endpoint, facilitating Unix shell execution (T1059.004) and privilege escalation from low-priv auth to host RCE (T1068).
NVD Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing…
more
authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Deeper analysisAI
CVE-2026-24841 is a critical command injection vulnerability (CWE-78) in Dokploy, a free self-hostable Platform as a Service (PaaS). It affects versions prior to 0.26.6 and exists in the WebSocket endpoint `/docker-container-terminal`, where the `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization.
Authenticated attackers with low privileges can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and scope change (S:C). Exploitation enables execution of arbitrary commands on the host server, resulting in high confidentiality and integrity impacts alongside low availability impact, as reflected in the CVSS 3.1 score of 9.9.
Dokploy version 0.26.6 addresses the issue. The GitHub security advisory (GHSA-vx6x-6559-x35r) details the vulnerability, the commit 74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f provides the fix, and the source code at apps/dokploy/server/wss/docker-container-terminal.ts shows the affected implementation. Practitioners should upgrade to 0.26.6 or later.
Details
- CWE(s)