What is the CVSS score of CVE-2026-24840?

CVE-2026-24840 has a CVSS 3.1 base score of 8.0 (High). CVSS vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Dokploy are affected by CVE-2026-24840?

Dokploy versions prior to 0.26.6 contain hardcoded database credentials in the installation script, potentially exposing all self-hosted PaaS deployments to unauthorized database access.. A patch is available.

Is there a public PoC exploit available for CVE-2026-24840?

Yes, a public proof-of-concept exploit is available for CVE-2026-24840. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-24840?

Within 24 hours: Identify all Dokploy instances running versions prior to 0.26.6 and isolate affected systems from production networks if patching cannot be completed immediately. Within 7 days: Upgrade all Dokploy installations to version 0.26.6 or later, regenerate all database credentials, and audit database access logs for unauthorized activity. Within 30 days: Conduct a full security review of affected systems, verify no data exfiltration occurred, and implement secret management controls to prevent hardcoded credentials in future deployments.

Dokploy CVE-2026-24840

HIGH

Use of Hard-coded Credentials (CWE-798)

2026-01-28 security-advisories@github.com

Authentication Bypass Dokploy

8.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.0 HIGH

AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 04, 2026 - 17:55 vuln.today

Public exploit code

Patch released

Feb 04, 2026 - 17:55 nvd

Patch available

CVE Published

Jan 28, 2026 - 01:16 nvd

HIGH 8.0

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.

AnalysisAI

Dokploy versions before 0.26.6 contain hardcoded database credentials in the installation script, causing nearly all deployments to share identical credentials that can be obtained from the publicly available install.sh file. An authenticated attacker on the network can leverage these credentials to access the database, potentially achieving high-impact compromise of confidentiality, integrity, and availability. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Access local network or internal environment

Delivery

Obtain hardcoded database credentials from installation script

Exploit

Connect to exposed database container

Execution

Execute arbitrary SQL commands

Impact

Compromise application data and integrity

Access

Access local network or internal environment

Delivery

Obtain hardcoded database credentials from installation script

Exploit

Connect to exposed database container

Execution

Execute arbitrary SQL commands

Impact

Compromise application data and integrity

Vulnerability AssessmentAI

Exploitation	Dokploy versions prior to 0.26.6 installed using the official install.sh script. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.0 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Dokploy instances running versions prior to 0.26.6 and isolate affected systems from production networks if patching cannot be completed immediately. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-24840 vulnerability details – vuln.today

Back

Dokploy CVE-2026-24840

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code