CVE-2026-45633
Command Injection in Dokploy via Unsanitized WebSocket Parameters
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.26.6 (inc) |
| dokploy | dokploy | From 0.26.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45633 is a critical command injection vulnerability in Dokploy version 0.26.6 and earlier. It affects the `/docker-container-logs` WebSocket endpoint, where the `tail` and `since` parameters are not properly validated and are directly concatenated into shell commands.
Because these parameters are unsanitized, an authenticated user can inject malicious commands that get executed with root privileges on the server. This happens because the vulnerable code constructs a shell command like `docker container logs --timestamps --tail ${tail} --since ${since} --follow ${containerId}` using the raw input values.
An attacker can exploit this by injecting command chaining payloads (for example, `tail=10; whoami; #`), leading to arbitrary command execution, including remote code execution, credential theft, full system compromise, or even container escape.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution with root privileges, allowing an attacker to fully compromise the affected system.
- Execution of arbitrary commands on the host system.
- Theft of sensitive credentials such as database passwords.
- Complete system compromise, potentially leading to loss of confidentiality, integrity, and availability.
- Container escape due to access to the Docker socket, which can lead to further attacks on the host or other containers.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious WebSocket requests to the `/docker-container-logs` endpoint that include malicious payloads in the `tail` and `since` parameters. Since the vulnerability involves command injection via these parameters, detection involves identifying unusual or unexpected command chaining patterns.
A proof-of-concept uses crafted WebSocket requests with payloads such as `tail=10; whoami; #` to exploit the flaw. Therefore, inspecting WebSocket traffic for such patterns can help detect exploitation attempts.
Suggested commands to detect exploitation attempts include using network traffic analysis tools (e.g., tcpdump, Wireshark) to filter WebSocket traffic to the vulnerable endpoint and searching for suspicious parameter values.
- Use tcpdump to capture WebSocket traffic on the relevant port: `tcpdump -i <interface> -A port <port> and tcp`
- Filter captured traffic for the `/docker-container-logs` endpoint and look for `tail` or `since` parameters containing suspicious characters like semicolons (`;`) or command keywords.
- Use WebSocket inspection tools or scripts to parse and analyze WebSocket frames for injected commands.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable `/docker-container-logs` WebSocket endpoint and applying input validation to the `tail` and `since` parameters.
Since a full patch is expected in version 0.26.7, you should upgrade to this version once available. Meanwhile, you can apply the partial fix in version 0.26.6, which includes some input validation but is incomplete.
Workarounds include blocking the vulnerable endpoint via a reverse proxy such as Nginx or restricting access to internal networks only.
- Block or restrict access to `/docker-container-logs` endpoint using Nginx or firewall rules.
- Restrict access to the Dokploy service to trusted internal networks only.
- Upgrade Dokploy to version 0.26.7 when it becomes available to apply the full patch.
- Apply the partial fix in version 0.26.6 if upgrading immediately is not possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users to execute arbitrary commands with root privileges, potentially leading to credential theft, full system compromise, and container escape. Such impacts can result in unauthorized access to sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.
Because the flaw can compromise confidentiality, integrity, and availability of data, affected organizations using Dokploy versions 0.26.6 and earlier may face compliance risks if sensitive personal or health information is exposed or altered due to exploitation.
Mitigations such as strict input validation and restricting access to the vulnerable endpoint are necessary to reduce the risk of non-compliance with these regulations.