CVE-2026-24839 MEDIUM

CVE-2026-24839: Dokploy has a clickjacking vulnerability - Missing X-Frame-Options and CSP frame-ancestors headers

Vendor Dokploy
Product dokploy
Weakness CWE-1021
Published January 28, 2026
Last update January 28, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue.

Key dates

02Disclosure timeline

January 28, 2026 CVE published
January 28, 2026 Record updated