Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026
Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint
CVE-2026-24841
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint /docker-container-terminal. The containerId and activeWay parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3- github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.tsmitrex_refsource_MISC
- github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6fmitrex_refsource_MISC
- github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35rmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.