CVE-2026-24841

CRITICAL

dokploy < 0.26.6 - Authenticated OS Command Injection via WebSocket Endpoint Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-24841. PoCs published by XiaomingX, otakuliu.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-24841, simulating a vulnerable Dokploy WS Terminal environment. It strictly enforces session authentication and mimics command execution behavior for testing purposes.

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-24841

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2026-24841, simulating a vulnerable Dokploy WS Terminal environment. It strictly enforces session authentication and mimics command execution behavior for testing purposes.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Dokploy WS Terminal

Auth required

Prerequisites: Valid session cookie (session=demo) · WebSocket connection to the target endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC

by otakuliu · poc

https://github.com/otakuliu/CVE-2026-24841_Range

View Code ZIP pw:eip

This is a safe simulator for CVE-2026-24841, designed to validate the official PoC by mimicking the vulnerable Dokploy WS Terminal behavior. It enforces strict session authentication (session=demo) and simulates command execution without actual system commands.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Dokploy WS Terminal

Auth required

Prerequisites: Valid session cookie (session=demo) · WebSocket connection to the target endpoint

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Vendor Advisory, Mitigation x_refsource_confirm

https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r

Patch x_refsource_misc

https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f

View Patch ZIP pw:eip

Product x_refsource_misc

https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts

Scores

CVSS v3 9.9

EPSS 0.0013

EPSS Percentile 32.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

dokploy/dokploy < 0.26.6

Published Jan 28, 2026

Tracked Since Feb 18, 2026