{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24839", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.059Z", "datePublished": "2026-01-28T00:01:49.253Z", "dateUpdated": "2026-01-28T15:02:29.344Z"}, "containers": {"cna": {"title": "Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers", "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "lang": "en", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q"}, {"name": "https://github.com/Dokploy/dokploy/pull/3500", "tags": ["x_refsource_MISC"], "url": "https://github.com/Dokploy/dokploy/pull/3500"}, {"name": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8", "tags": ["x_refsource_MISC"], "url": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8"}], "affected": [{"vendor": "Dokploy", "product": "dokploy", "versions": [{"version": "< 0.26.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T00:01:49.253Z"}, "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue."}], "source": {"advisory": "GHSA-c94j-8wgf-2q9q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T15:01:38.667953Z", "id": "CVE-2026-24839", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:02:29.344Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24839", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-28T15:01:38.667953Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T15:02:24.888Z"}}], "cna": {"title": "Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers", "source": {"advisory": "GHSA-c94j-8wgf-2q9q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Dokploy", "product": "dokploy", "versions": [{"status": "affected", "version": "< 0.26.6"}]}], "references": [{"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q", "name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Dokploy/dokploy/pull/3500", "name": "https://github.com/Dokploy/dokploy/pull/3500", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8", "name": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021: Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T00:01:49.253Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24839", "state": "PUBLISHED", "dateUpdated": "2026-01-28T15:02:29.344Z", "dateReserved": "2026-01-27T14:51:03.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T00:01:49.253Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*", "matchCriteriaId": "D811B470-39CF-4FCD-A0A6-77EBBE229498", "versionEndExcluding": "0.26.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue."}], "id": "CVE-2026-24839", "lastModified": "2026-02-04T17:58:11.480", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T01:16:14.490", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/Dokploy/dokploy/pull/3500"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T20:38:11.629412+00:00", "value": {"mitigation_remediation": ["Upgrade the Dokploy instance to version\u202f0.26.6 or later, which adds the required X\u2011Frame\u2011Options and CSP frame\u2011ancestors headers.", "If an upgrade is not immediately possible, configure an external reverse proxy such as nginx or Apache to insert \\\"X\u2011Frame\u2011Options: SAMEORIGIN\\\" or \\\"X\u2011Frame\u2011Options: DENY\\\" and a \\\"Content\u2011Security\u2011Policy: frame\u2011ancestors 'self'\\\" header on all Dokploy responses.", "If Dokploy supports custom response headers, enable X\u2011Frame\u2011Options and CSP frame\u2011ancestors directly in the application configuration."], "summary": {"action": "Patch", "impact": "Clickjacking via missing frame protection headers"}, "threat_synthesis": {"affected_systems": "Affected systems are deployment instances of the Dokploy PaaS product, vendor Dokploy. The vulnerability exists in all released versions before 0.26.6, including 0.25.x and 0.26.x releases. Any user running those earlier versions must update to the patched version.", "description_and_impact": "Dokploy's free, self-hostable PaaS web interface up to version\u202f0.26.5 lacked X\u2011Frame\u2011Options and CSP frame\u2011ancestors headers. This allows attackers to embed legitimate Dokploy pages inside malicious iframes and trick authenticated users into executing unintended actions. The flaw is classified as CWE\u20111021 and can lead to credential compromise or accidental submission of sensitive forms, but it does not grant direct access to system files or result in code execution.", "risk_and_exploitability": "The CVSS score of 4.7 indicates moderate severity. The EPSS score of less than 1\u202f% reflects a low probability of exploitation, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers could exploit it over HTTPS by embedding the target site in an iframe, requiring the victim to be authenticated. While the impact is limited to actions performed in the spoofed context, repeated or coordinated attacks could lead to credential theft or data disclosure."}}}}, "created": "2026-01-28T12:21:37.981762+00:00", "updated": "2026-04-18T20:45:05.721118+00:00", "vendors": ["dokploy", "dokploy$PRODUCT$dokploy"]}