Cyber Resilience

CVE-2026-24841

CriticalPublic PoCRCE

Published: 28 January 2026

Published
28 January 2026
Modified
04 February 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0252 82.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-24841 is a critical-severity OS Command Injection (CWE-78) vulnerability in Dokploy Dokploy. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24841 is a critical command injection vulnerability (CWE-78) in Dokploy, a free self-hostable Platform as a Service (PaaS). It affects versions prior to 0.26.6 and exists in the WebSocket endpoint `/docker-container-terminal`, where the `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and scope change (S:C). Exploitation enables execution of arbitrary commands on the host server, resulting in high confidentiality and integrity impacts alongside low availability impact, as reflected in the CVSS 3.1 score of 9.9.

Dokploy version 0.26.6 addresses the issue. The GitHub security advisory (GHSA-vx6x-6559-x35r) details the vulnerability, the commit 74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f provides the fix, and the source code at apps/dokploy/server/wss/docker-container-terminal.ts shows the affected implementation. Practitioners should upgrade to 0.26.6 or later.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing…

more

authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE enables exploitation of public-facing web app (T1190) via command injection in WebSocket endpoint, facilitating Unix shell execution (T1059.004) and privilege escalation from low-priv auth to host RCE (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-53825Same product: Dokploy Dokploy
CVE-2026-24840Same product: Dokploy Dokploy
CVE-2026-27635Shared CWE-78
CVE-2025-56077Shared CWE-78
CVE-2026-28773Shared CWE-78
CVE-2025-56102Shared CWE-78
CVE-2021-47816Shared CWE-78
CVE-2026-26943Shared CWE-78
CVE-2025-56094Shared CWE-78
CVE-2026-28507Shared CWE-78

Affected Assets

dokploy
dokploy
≤ 0.26.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs like containerId and activeWay before interpolation into shell commands, directly preventing command injection exploits.

prevent

Mandates identification, reporting, and correction of flaws such as this command injection vulnerability, enabling timely patching to version 0.26.6 or later.

prevent

Enforces least privilege on the Dokploy process handling WebSocket requests, limiting the scope and impact of arbitrary host commands executed via injection.

References