CVE-2026-45630
Authenticated OS Command Injection in Dokploy 0.28.8
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Dokploy versions 0.28.8 and earlier, specifically in the updateTraefikConfig tRPC endpoint. It allows authenticated users with admin or owner privileges to perform OS command injection by exploiting unsanitized input in the traefikConfig parameter. The input is interpolated directly into a shell command executed via SSH, enabling these privileged users to execute arbitrary system commands on remote servers.
An attacker can inject a single quote into the traefikConfig value to break out of the intended shell quoting context and insert malicious commands. Exploitation requires an admin or owner account and a deployed application with an SSH key configured.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on managed servers with the privileges of the SSH user. Since it allows arbitrary system commands to be run, an attacker with admin or owner access can potentially compromise the entire server environment, leading to data breaches, service disruption, or further escalation of privileges.
The vulnerability is classified as high severity with a CVSS score of 9.0, indicating significant impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized or suspicious command execution attempts via the updateTraefikConfig tRPC endpoint in Dokploy versions β€ 0.28.8.
Since exploitation requires an admin or owner account and involves injecting shell commands through the traefikConfig parameter, monitoring logs for unusual commands or shell injection patterns is recommended.
- Check application logs for calls to the updateTraefikConfig endpoint with suspicious payloads containing single quotes or shell metacharacters.
- Use network monitoring tools to detect unusual SSH command executions originating from the Dokploy server.
- Example command to search logs for suspicious input patterns: grep -E "updateTraefikConfig.*['\";|&]" /path/to/dokploy/logs/*
- Monitor SSH command execution logs on managed servers for unexpected commands executed by the SSH user configured in Dokploy.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access and monitoring usage of the updateTraefikConfig endpoint.
- Limit admin or owner privileges to trusted users only, as exploitation requires such accounts.
- Disable or restrict the use of the updateTraefikConfig endpoint until a patch or fix is available.
- Monitor and audit SSH keys configured for deployments to ensure they are secure and not compromised.
- Implement network-level controls to restrict SSH access from the Dokploy server to managed servers.
- Stay updated with Dokploy security advisories for any forthcoming patches addressing this vulnerability.