{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24841", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-27T14:51:03.059Z", "datePublished": "2026-01-28T00:18:23.724Z", "dateUpdated": "2026-01-28T14:59:11.561Z"}, "containers": {"cna": {"title": "Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r"}, {"name": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f", "tags": ["x_refsource_MISC"], "url": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f"}, {"name": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts", "tags": ["x_refsource_MISC"], "url": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts"}], "affected": [{"vendor": "Dokploy", "product": "dokploy", "versions": [{"version": "< 0.26.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T00:18:23.724Z"}, "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue."}], "source": {"advisory": "GHSA-vx6x-6559-x35r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-28T14:58:12.909662Z", "id": "CVE-2026-24841", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:59:11.561Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24841", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-28T14:58:12.909662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-28T14:59:04.995Z"}}], "cna": {"title": "Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint", "source": {"advisory": "GHSA-vx6x-6559-x35r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Dokploy", "product": "dokploy", "versions": [{"status": "affected", "version": "< 0.26.6"}]}], "references": [{"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r", "name": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f", "name": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts", "name": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-28T00:18:23.724Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24841", "state": "PUBLISHED", "dateUpdated": "2026-01-28T14:59:11.561Z", "dateReserved": "2026-01-27T14:51:03.059Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-28T00:18:23.724Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*", "matchCriteriaId": "D811B470-39CF-4FCD-A0A6-77EBBE229498", "versionEndExcluding": "0.26.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue."}], "id": "CVE-2026-24841", "lastModified": "2026-02-04T17:37:04.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-28T01:16:14.797", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:49:01.710776+00:00", "value": {"mitigation_remediation": ["Upgrade the Dokploy installation to version 0.26.6 or later, which removes the untrusted input from the shell command construction.", "If an upgrade cannot be performed immediately, block or delete the /docker-container-terminal WebSocket endpoint for all users until the patch is applied, effectively preventing the injection vector.", "Apply host\u2011level hardening: run Docker containers with the least privilege, restrict the Docker daemon to a dedicated user, and monitor WebSocket traffic for anomalous command patterns."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts all installations of Dokploy running a version older than 0.26.6. Versions 0.26.6 and later have fixed the flaw. The affected product is the self\u2011hosted Platform as a Service application Dokploy, as identified by the vendor package name dokploy.", "description_and_impact": "A command injection flaw exists in Dokploy\u2019s WebSocket endpoint used for launching terminal sessions inside Docker containers. The \"containerId\" and \"activeWay\" fields are placed directly into a shell command without any sanitization, enabling an attacker who has authenticated access to inject arbitrary shell commands. Successful exploitation grants the attacker unrestricted execution on the host operating system, thereby compromising confidentiality, integrity, and availability of the entire environment.", "risk_and_exploitability": "The CVSS rating of 9.9 classifies this issue as critical, reflecting the high impact and the fact that it is reachable by an authenticated user through the WebSocket interface. Although the EPSS score is reported as less than 1%, indicating a low probability of immediate exploitation, the lack of entry in the CISA KEV catalog does not diminish the need for swift action. The attack vector is remote, requiring authentication but not privileged local access beyond the permitted user role. The combination of severe impact and a low but non\u2011zero exploitation probability means that any environment running a vulnerable Dokploy version should treat this as a top\u2011priority vulnerability."}}}}, "created": "2026-01-28T12:21:48.833088+00:00", "updated": "2026-04-18T02:00:10.460356+00:00", "vendors": ["dokploy", "dokploy$PRODUCT$dokploy"]}