CVE-2026-24839
📋 TL;DR
Dokploy versions before 0.26.6 are vulnerable to clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy's web interface in malicious iframes and trick authenticated users into performing unintended actions. Only self-hosted Dokploy instances with the web interface exposed are affected.
💻 Affected Systems
- Dokploy
📦 What is this software?
Dokploy by Dokploy
⚠️ Risk & Real-World Impact
Worst Case
Authenticated users could be tricked into performing administrative actions like deleting projects, modifying configurations, or deploying malicious code through carefully crafted malicious pages.
Likely Case
Attackers could trick users into clicking buttons that perform unintended but non-critical actions, potentially causing service disruptions or configuration changes.
If Mitigated
With proper Content Security Policy headers and frame-busting scripts, the risk is reduced to minimal as browsers will block the malicious framing attempts.
🎯 Exploit Status
Exploitation requires user interaction (clicking) and the user must be authenticated to Dokploy. Attackers need to craft convincing malicious pages.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.26.6
Vendor Advisory: https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q
Restart Required: Yes
Instructions:
1. Update Dokploy to version 0.26.6 or later. 2. Restart the Dokploy service. 3. Verify the fix by checking HTTP headers for X-Frame-Options or Content-Security-Policy.
🔧 Temporary Workarounds
Add X-Frame-Options Header
allConfigure your web server or reverse proxy to add X-Frame-Options: DENY or SAMEORIGIN header to all Dokploy responses.
# For nginx: add 'add_header X-Frame-Options DENY;' to Dokploy server block
# For Apache: add 'Header always set X-Frame-Options DENY' to Dokploy virtual host
Add Content-Security-Policy Header
allConfigure Content-Security-Policy with frame-ancestors directive to control which sites can frame Dokploy.
# For nginx: add 'add_header Content-Security-Policy "frame-ancestors 'self'" always;'
# For Apache: add 'Header always set Content-Security-Policy "frame-ancestors 'self'"'
🧯 If You Can't Patch
- Implement web server headers workaround as described above
- Use browser extensions that block clickjacking attacks for all users
🔍 How to Verify
Check if Vulnerable:
Use browser developer tools or curl to check HTTP headers: curl -I https://your-dokploy-instance/ and look for missing X-Frame-Options or Content-Security-Policy with frame-ancestors.Check Version:
Check Dokploy dashboard or run: docker exec dokploy cat /app/package.json | grep versionVerify Fix Applied:
Check that X-Frame-Options: DENY or Content-Security-Policy with frame-ancestors 'self' is present in HTTP responses.📡 Detection & Monitoring
Log Indicators:
- Unusual iframe referrer headers in web server logs
- Multiple failed authentication attempts from unexpected referrers
Network Indicators:
- HTTP requests with missing X-Frame-Options header for Dokploy endpoints
- Traffic patterns showing Dokploy pages loaded within iframes from external domains
SIEM Query:
http.url:"*/dokploy/*" AND NOT http.response.headers:X-Frame-Options:*