CVE-2026-45633
Deferred Deferred - Pending Action
Command Injection in Dokploy via Unsanitized WebSocket Parameters

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45633
EUVD
EUVD-2026-33353
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dokploy dokploy to 0.26.6 (inc)
dokploy dokploy From 0.26.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45633 is a critical command injection vulnerability in Dokploy version 0.26.6 and earlier. It affects the `/docker-container-logs` WebSocket endpoint, where the `tail` and `since` parameters are not properly validated and are directly concatenated into shell commands.

Because these parameters are unsanitized, an authenticated user can inject malicious commands that get executed with root privileges on the server. This happens because the vulnerable code constructs a shell command like `docker container logs --timestamps --tail ${tail} --since ${since} --follow ${containerId}` using the raw input values.

An attacker can exploit this by injecting command chaining payloads (for example, `tail=10; whoami; #`), leading to arbitrary command execution, including remote code execution, credential theft, full system compromise, or even container escape.

Impact Analysis

This vulnerability can have severe impacts including remote code execution with root privileges, allowing an attacker to fully compromise the affected system.

  • Execution of arbitrary commands on the host system.
  • Theft of sensitive credentials such as database passwords.
  • Complete system compromise, potentially leading to loss of confidentiality, integrity, and availability.
  • Container escape due to access to the Docker socket, which can lead to further attacks on the host or other containers.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious WebSocket requests to the `/docker-container-logs` endpoint that include malicious payloads in the `tail` and `since` parameters. Since the vulnerability involves command injection via these parameters, detection involves identifying unusual or unexpected command chaining patterns.

A proof-of-concept uses crafted WebSocket requests with payloads such as `tail=10; whoami; #` to exploit the flaw. Therefore, inspecting WebSocket traffic for such patterns can help detect exploitation attempts.

Suggested commands to detect exploitation attempts include using network traffic analysis tools (e.g., tcpdump, Wireshark) to filter WebSocket traffic to the vulnerable endpoint and searching for suspicious parameter values.

  • Use tcpdump to capture WebSocket traffic on the relevant port: `tcpdump -i <interface> -A port <port> and tcp`
  • Filter captured traffic for the `/docker-container-logs` endpoint and look for `tail` or `since` parameters containing suspicious characters like semicolons (`;`) or command keywords.
  • Use WebSocket inspection tools or scripts to parse and analyze WebSocket frames for injected commands.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable `/docker-container-logs` WebSocket endpoint and applying input validation to the `tail` and `since` parameters.

Since a full patch is expected in version 0.26.7, you should upgrade to this version once available. Meanwhile, you can apply the partial fix in version 0.26.6, which includes some input validation but is incomplete.

Workarounds include blocking the vulnerable endpoint via a reverse proxy such as Nginx or restricting access to internal networks only.

  • Block or restrict access to `/docker-container-logs` endpoint using Nginx or firewall rules.
  • Restrict access to the Dokploy service to trusted internal networks only.
  • Upgrade Dokploy to version 0.26.7 when it becomes available to apply the full patch.
  • Apply the partial fix in version 0.26.6 if upgrading immediately is not possible.
Compliance Impact

The vulnerability allows authenticated users to execute arbitrary commands with root privileges, potentially leading to credential theft, full system compromise, and container escape. Such impacts can result in unauthorized access to sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Because the flaw can compromise confidentiality, integrity, and availability of data, affected organizations using Dokploy versions 0.26.6 and earlier may face compliance risks if sensitive personal or health information is exposed or altered due to exploitation.

Mitigations such as strict input validation and restricting access to the vulnerable endpoint are necessary to reduce the risk of non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45633. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart