Executive Summary

CVE-2026-45628 is a critical command injection vulnerability in Dokploy, a deployment pipeline tool. It affects version 0.29.2 and earlier. The vulnerability occurs because user-supplied inputs such as branch names, repository URLs, and Docker credentials are directly inserted into shell commands without proper escaping. These commands are executed using child_process.exec(), which runs through /bin/sh -c, allowing shell metacharacters to be interpreted and executed.

An authenticated attacker with application create or edit privileges can exploit this flaw to execute arbitrary commands on the Dokploy server. Since Dokploy mounts the Docker socket, this can lead to full host compromise. The root cause is the failure to apply an existing shell escaping function (shEscape()) to deployment paths.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the Dokploy server by an authenticated attacker. Because Dokploy mounts the Docker socket, exploitation can escalate to full host compromise, potentially allowing the attacker to control the entire server environment.

The vulnerability affects confidentiality and integrity of the system, as attackers can run arbitrary commands and manipulate deployments or data. The CVSS score of 9.6 reflects the critical severity and high impact of this issue.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves command injection through user-supplied inputs in Dokploy version 0.29.2 and earlier. Detection can focus on monitoring for suspicious shell command executions that include unescaped branch names, repository URLs, or Docker credentials.

Since the vulnerability requires authenticated users with create/edit privileges, detection can include auditing Dokploy logs for unusual deployment commands or unexpected shell executions.

Specific commands to detect exploitation attempts are not provided in the resources. However, general detection methods could include:

• Monitoring process executions on the Dokploy server for shell commands containing suspicious characters or patterns (e.g., shell metacharacters like `;`, `&&`, `|`).
• Using system auditing tools like `auditd` to track executions of `/bin/sh -c` commands initiated by Dokploy processes.
• Checking Dokploy application logs for deployment requests with unusual branch names or repository URLs containing shell metacharacters.

Due to lack of explicit detection commands in the provided resources, no exact commands can be suggested.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this critical command injection vulnerability in Dokploy 0.29.2 and earlier, immediate steps include:

• Apply the `shEscape()` function to all shell-interpolated variables to properly escape user inputs.
• Where possible, replace `child_process.exec()` with `execFileAsync()` to avoid shell interpretation.
• Implement whitelisting of branch names to restrict inputs to known safe values.
• Consider adopting the `shell-quote` library to safely handle shell command arguments.

Additionally, restrict application create/edit privileges to trusted users only, as exploitation requires authenticated access.

If possible, upgrade Dokploy to a version where these fixes have been applied.

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-45628 is a critical command injection vulnerability that allows an authenticated attacker to achieve remote code execution on the Dokploy server, potentially leading to full host compromise. This can result in unauthorized access to sensitive data and systems, severely impacting confidentiality and integrity.

Such a vulnerability can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information. The risk of unauthorized data access or modification due to this vulnerability could lead to violations of these regulations, resulting in legal and financial consequences.

Useful 0 Not Useful 0