Unrated severityOSV Advisory· Published Jan 28, 2026· Updated Jan 28, 2026
Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker Container Terminal WebSocket Endpoint
CVE-2026-24841
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint /docker-container-terminal. The containerId and activeWay parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.tsmitrex_refsource_MISC
- github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6fmitrex_refsource_MISC
- github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35rmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.