Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026
Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers
CVE-2026-24839
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8mitrex_refsource_MISC
- github.com/Dokploy/dokploy/pull/3500mitrex_refsource_MISC
- github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9qmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.