CVE-2026-24840— Dokploy uses hardcoded credentials in installation script, which could result in database access
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-24840
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dokploy uses hardcoded credentials in installation script, which could result in database access
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的凭证
Source: NVD (National Vulnerability Database)
Vulnerability Title
Dokploy 信任管理问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dokploy是Dokploy开源的一个开源软件。 Dokploy 0.26.6之前版本存在信任管理问题漏洞,该漏洞源于安装脚本中存在硬编码凭证,可能导致数据库凭据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-24840
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-24840
请登录查看更多情报信息。
Same Patch Batch · Dokploy · 2026-01-28 · 3 CVEs total
| CVE-2026-24841 | 9.9 CRITICAL | Dokploy Vulnerable to Authenticated Remote Code Execution via Command Injection in Docker |
| CVE-2026-24839 | 4.7 MEDIUM | Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors |
IV. Related Vulnerabilities
Same product: dokploy
- CVE-2026-24841
Dokploy Vulnerable to Authenticated Remote Code Execution vi - CVE-2026-24839
Dokploy has a clickjacking vulnerability - Missing X-Frame-O - CVE-2025-53825
Dokploy's Preview Deployments are vulnerable to Remote Code - CVE-2025-53375
Dokploy allows attackers to read any file that the Traefik p - CVE-2025-53376
Dokploy allows attackers to run arbitrary OS commands on th
Same vendor: Dokploy
- CVE-2026-24841
Dokploy Vulnerable to Authenticated Remote Code Execution vi - CVE-2026-24839
Dokploy has a clickjacking vulnerability - Missing X-Frame-O - CVE-2025-53825
Dokploy's Preview Deployments are vulnerable to Remote Code - CVE-2025-53375
Dokploy allows attackers to read any file that the Traefik p - CVE-2025-53376
Dokploy allows attackers to run arbitrary OS commands on th
Same weakness: CWE-798
- CVE-2026-7414
Hardcoded credentials in Yarbo robot firmware - CVE-2026-8032
PicoTronica e-Clinic Healthcare System ECHS echs.js hard-cod - CVE-2026-32834
Easy PayPal Events & Tickets 1.3 Authentication Bypass via Q - CVE-2026-42376
D-Link DIR-456U A1 Hardcoded Telnet Backdoor Credentials - CVE-2026-42375
D-Link DIR-600L A1 Hardcoded Telnet Backdoor Credentials
V. Comments for CVE-2026-24840
No comments yet