CVE-2026-24840

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d	Patch
https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:23

Type	Values Removed	Values Added
Summary		(es) Dokploy es una Plataforma como Servicio (PaaS) gratuita y autoalojable. En versiones anteriores a la 0.26.6, una credencial codificada en el script de instalación proporcionado (ubicado en HTTPS://dokploy.com/install.sh, línea 154) utiliza una contraseña codificada al crear el contenedor de la base de datos. Esto significa que casi todas las instalaciones de Dokploy utilizan las mismas credenciales de la base de datos y podrían verse comprometidas. La versión 0.26.6 contiene un parche para el problema.

04 Feb 2026, 17:55

Type	Values Removed	Values Added
First Time		Dokploy dokploy Dokploy
References	~~() https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d -~~	() https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d - Patch
References	~~() https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc -~~	() https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc - Exploit, Vendor Advisory
CPE		cpe:2.3:a:dokploy:dokploy::::::::

28 Jan 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-28 01:16

Updated : 2026-06-17 10:23

NVD link : CVE-2026-24840

Mitre link : CVE-2026-24840

CVE.ORG link : CVE-2026-24840

JSON object : View

Products Affected

dokploy

dokploy

CWE

CWE-798

Use of Hard-coded Credentials

8.0 /10