CVE-2026-45628
Remote Code Execution in Dokploy via Unsanitized Input
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | 0.29.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45628 is a critical command injection vulnerability in Dokploy, a deployment pipeline tool. It affects version 0.29.2 and earlier. The vulnerability occurs because user-supplied inputs such as branch names, repository URLs, and Docker credentials are directly inserted into shell commands without proper escaping. These commands are executed using child_process.exec(), which runs through /bin/sh -c, allowing shell metacharacters to be interpreted and executed.
An authenticated attacker with application create or edit privileges can exploit this flaw to execute arbitrary commands on the Dokploy server. Since Dokploy mounts the Docker socket, this can lead to full host compromise. The root cause is the failure to apply an existing shell escaping function (shEscape()) to deployment paths.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution on the Dokploy server by an authenticated attacker. Because Dokploy mounts the Docker socket, exploitation can escalate to full host compromise, potentially allowing the attacker to control the entire server environment.
The vulnerability affects confidentiality and integrity of the system, as attackers can run arbitrary commands and manipulate deployments or data. The CVSS score of 9.6 reflects the critical severity and high impact of this issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves command injection through user-supplied inputs in Dokploy version 0.29.2 and earlier. Detection can focus on monitoring for suspicious shell command executions that include unescaped branch names, repository URLs, or Docker credentials.
Since the vulnerability requires authenticated users with create/edit privileges, detection can include auditing Dokploy logs for unusual deployment commands or unexpected shell executions.
Specific commands to detect exploitation attempts are not provided in the resources. However, general detection methods could include:
- Monitoring process executions on the Dokploy server for shell commands containing suspicious characters or patterns (e.g., shell metacharacters like `;`, `&&`, `|`).
- Using system auditing tools like `auditd` to track executions of `/bin/sh -c` commands initiated by Dokploy processes.
- Checking Dokploy application logs for deployment requests with unusual branch names or repository URLs containing shell metacharacters.
Due to lack of explicit detection commands in the provided resources, no exact commands can be suggested.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this critical command injection vulnerability in Dokploy 0.29.2 and earlier, immediate steps include:
- Apply the `shEscape()` function to all shell-interpolated variables to properly escape user inputs.
- Where possible, replace `child_process.exec()` with `execFileAsync()` to avoid shell interpretation.
- Implement whitelisting of branch names to restrict inputs to known safe values.
- Consider adopting the `shell-quote` library to safely handle shell command arguments.
Additionally, restrict application create/edit privileges to trusted users only, as exploitation requires authenticated access.
If possible, upgrade Dokploy to a version where these fixes have been applied.