CVE-2026-45629
Authenticated OS Command Injection in Dokploy 0.28.8
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.28.8 (exc) |
| dokploy | dokploy | to 0.28.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45629 is an authenticated OS command injection vulnerability in Dokploy versions 0.28.8 and earlier. It occurs in the /listen-deployment WebSocket endpoint, where the logPath parameter is improperly validated and passed directly into a shell command via SSH without proper sanitization.
The vulnerability arises because the readValidDirectory() function only checks if the resolved path starts with a base directory, but shell metacharacters like semicolons are treated as valid characters by path.resolve(), allowing attackers to bypass validation.
Any authenticated organization member, even with default 'member' role permissions, can exploit this flaw to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.
How can this vulnerability impact me? :
This vulnerability can lead to full server compromise because it allows any authenticated organization member to execute arbitrary system commands on remote servers managed by Dokploy.
An attacker exploiting this flaw can gain control over the affected servers with the privileges of the SSH user, potentially leading to data theft, service disruption, or further attacks within the network.
The impact is critical, with a CVSS score of 9.9, indicating high confidentiality, integrity, and availability risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious activity related to the /listen-deployment WebSocket endpoint in Dokploy versions β€ 0.28.8, especially commands executed via the logPath parameter.
Since the vulnerability allows authenticated organization members to execute arbitrary system commands, you can look for unusual SSH command executions or WebSocket traffic targeting the /listen-deployment endpoint.
Specific commands to detect exploitation attempts are not provided in the resources. However, general approaches include:
- Monitoring WebSocket connections to /listen-deployment for unexpected or suspicious payloads.
- Checking SSH logs for unusual commands or connections initiated by Dokploy users.
- Using network monitoring tools to capture and analyze traffic to the vulnerable endpoint.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /listen-deployment WebSocket endpoint to trusted users only and disabling or limiting the use of Dokploy versions β€ 0.28.8 until patched.
Recommended fixes from the advisory include:
- Implement strict regex validation for the logPath parameter to prevent injection.
- Use base64 encoding for the logPath parameter to avoid shell metacharacter interpretation.
- Replace shell command execution with safer alternatives such as SFTP streaming.
Until these fixes are applied, ensure that only trusted authenticated users have access to Dokploy and monitor for suspicious activity.