Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Published: 2026-01-28
Score: 9.9 Critical
EPSS: 2.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in Dokploy’s WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly inserted into shell commands without sanitization, allowing an authenticated user to execute arbitrary shell commands on the host. This flaw enables remote code execution with full control over the underlying operating system, compromising confidentiality, integrity, and availability.

Affected Systems

All installations of Dokploy prior to version 0.26.6 are affected. The vulnerable component is the self‑hosted Platform as a Service application Dokploy. Upgrading to version 0.26.6 or later removes the untrusted input from the shell command construction and resolves the issue.

Risk and Exploitability

The CVSS score of 9.9 classifies this vulnerability as critical. The EPSS score is 3%, indicating a low probability of exploitation. The flaw is accessible through a remote WebSocket interface and requires only authenticated access; no additional local privileges are required. Although the vulnerability is not listed in the CISA KEV catalog, the combination of high severity and the authentication requirement means that any environment running a vulnerable version of Dokploy should treat it as a top‑priority issue.

Generated by OpenCVE AI on June 18, 2026 at 05:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Dokploy installation to version 0.26.6 or later, which removes the untrusted input from the shell command construction.
  • If an upgrade cannot be performed immediately, block or delete the `/docker-container-terminal` WebSocket endpoint for all users until the patch is applied, effectively preventing the injection vector.
  • Apply host‑level hardening: run Docker containers with the least privilege, restrict the Docker daemon to a dedicated user, and monitor WebSocket traffic for anomalous command patterns.

Generated by OpenCVE AI on June 18, 2026 at 05:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*

Wed, 28 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 28 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Wed, 28 Jan 2026 00:30:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Title Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-28T14:59:11.561Z

Reserved: 2026-01-27T14:51:03.059Z

Link: CVE-2026-24841

cve-icon Vulnrichment

Updated: 2026-01-28T14:59:04.995Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-28T01:16:14.797

Modified: 2026-06-17T10:23:41.180

Link: CVE-2026-24841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T05:30:15Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')