DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-24841: PaaS-word to Pwnage: Breaking Dokploy with WebSocket Command Injection

#security #cve #cybersecurity

PaaS-word to Pwnage: Breaking Dokploy with WebSocket Command Injection

Vulnerability ID: CVE-2026-24841
CVSS Score: 9.9
Published: 2026-01-28

A critical command injection vulnerability in Dokploy's WebSocket terminal endpoint allows authenticated users to escape the confines of a Docker container session and execute arbitrary commands on the host operating system. By manipulating the parameters sent during the WebSocket handshake, attackers can abuse the server's use of shell interpolation to hijack the underlying process spawning logic.

TL;DR

Dokploy < 0.26.6 lets authenticated users pass unsanitized input into a shell command intended to spawn a Docker terminal. This allows attackers to break out of the docker exec command and run arbitrary code on the host server as root (or the service user). Fix: Upgrade to 0.26.6.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-24841
  • CVSS: 9.9 (Critical)
  • CWE: CWE-78 (OS Command Injection)
  • Attack Vector: Network (Authenticated)
  • Impact: Remote Code Execution (RCE) as Host User
  • Fix Version: 0.26.6

Affected Systems

  • Dokploy < 0.26.6
  • Dokploy: < 0.26.6 (Fixed in: 0.26.6)

Code Analysis

Commit: 74e0bd5

Fix command injection vulnerability in docker-container-terminal

- const ptyProcess = spawn(shell, ["-c", `docker exec -it -w / ${containerId} ${activeWay}`], {});
+ if (!isValidContainerId(containerId)) return;
+ const ptyProcess = spawn("docker", ["exec", "-it", "-w", "/", containerId, shell], {});
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Exploitation involves sending crafted query parameters to the WebSocket endpoint.

Mitigation Strategies

  • Input Validation: Ensure all user inputs are validated against a strict allowlist (regex).
  • Safe API Usage: Use spawn or execFile with argument arrays instead of command strings.
  • Principle of Least Privilege: Ensure the node process does not run as root where possible (though difficult for Docker management tools).

Remediation Steps:

  1. Identify the current version of Dokploy running on your infrastructure.
  2. If version is < 0.26.6, schedule an immediate maintenance window.
  3. Pull the latest Docker image: docker pull dokploy/dokploy:latest.
  4. Restart the Dokploy container.
  5. Verify the version in the dashboard settings.

References

Read the full report for CVE-2026-24841 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)