CVE-2026-24841
📋 TL;DR
CVE-2026-24841 is a critical command injection vulnerability in Dokploy, a self-hosted PaaS, allowing authenticated attackers to execute arbitrary commands on the host server via unsanitized parameters in a WebSocket endpoint. This affects all users running Dokploy versions prior to 0.26.6, potentially leading to full system compromise.
💻 Affected Systems
- Dokploy
⚠️ Risk & Real-World Impact
Worst Case
Full root-level compromise of the host server, enabling data theft, ransomware deployment, or lateral movement across the network.
Likely Case
Unauthorized command execution leading to service disruption, data exfiltration, or installation of backdoors by authenticated malicious users.
If Mitigated
Limited impact if strong authentication and network segmentation are in place, but still poses a risk of privilege escalation within the application context.
🎯 Exploit Status
Exploitation is straightforward for authenticated users due to direct command injection; no public proof-of-concept is known, but the vulnerability is well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.26.6
Vendor Advisory: https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r
Restart Required: Yes
Instructions:
1. Backup your Dokploy data and configuration. 2. Update Dokploy to version 0.26.6 or later using the official update method (e.g., Docker pull or package manager). 3. Restart the Dokploy service to apply the patch.
🔧 Temporary Workarounds
Disable WebSocket endpoint
allTemporarily block or disable access to the vulnerable `/docker-container-terminal` WebSocket endpoint to prevent exploitation.
Use firewall rules (e.g., iptables or nftables) to block the port or path, or modify Dokploy configuration if supported.
Restrict authentication
allLimit access to Dokploy to trusted users only and enforce strong authentication mechanisms.
Implement IP whitelisting, multi-factor authentication, or reduce user privileges in Dokploy settings.
🧯 If You Can't Patch
- Isolate the Dokploy server in a segmented network to limit potential lateral movement.
- Monitor and audit logs for suspicious command execution or unauthorized access to the WebSocket endpoint.
🔍 How to Verify
Check if Vulnerable:
Check if your Dokploy version is below 0.26.6 by accessing the admin interface or running version check commands.Check Version:
docker exec <dokploy_container> node -e "console.log(require('/app/package.json').version)" or check the web interface settings.Verify Fix Applied:
Confirm the Dokploy version is 0.26.6 or higher and test that the WebSocket endpoint no longer accepts unsanitized input for command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual shell commands or process executions originating from the Dokploy service, especially with parameters like containerId or activeWay.
Network Indicators:
- Suspicious WebSocket traffic to `/docker-container-terminal` with payloads containing shell metacharacters (e.g., ;, &, |).
SIEM Query:
Example: 'source="dokploy" AND (event="command_injection" OR message CONTAINS "docker-container-terminal")'