CVE-2026-45661
Deferred Deferred - Pending Action
Path Traversal in Dokploy Allows Remote Code Execution

Publication date: 2026-05-29

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-02
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45661
EUVD
EUVD-2026-33352
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dokploy dokploy to 0.26.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-35 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45661 is a critical path traversal vulnerability in Dokploy version 0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment.

The vulnerability arises because Dokploy uses the adm-zip library to extract user-uploaded ZIP files but fails to sanitize the filenames inside these ZIP entries, allowing attackers to traverse outside intended directories.

When combined with Dokploy's remote server deployment feature, this flaw enables arbitrary file writes on remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation.

This vulnerability bypasses all container isolation on remote server deployments, making it highly critical.

Impact Analysis

This vulnerability can have severe impacts including:

  • Arbitrary file write on both local and remote server filesystems.
  • Automatic remote code execution through malicious cron jobs.
  • Complete compromise of the affected server.
  • Data exfiltration without any user interaction.
  • Installation of persistent backdoors, allowing attackers ongoing access.

Because the vulnerability bypasses container isolation on remote deployments, the attacker gains extensive control over the target environment.

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious files or cron jobs that have been written to the filesystem through path traversal during application deployment.

  • Look for unexpected or suspicious cron jobs, such as files in /etc/cron.d/ that were not created by administrators.
  • Search for recently created or modified files with unusual paths or names that could indicate path traversal exploitation.
  • Example command to find suspicious cron jobs: `ls -l /etc/cron.d/`
  • Example command to find recently modified files: `find / -type f -mtime -7` (to find files modified in the last 7 days)
  • Check deployment logs for ZIP files containing path traversal sequences or unusual file names.
Mitigation Strategies

Immediate mitigation steps include applying patches or updates that add path validation and sanitize file paths during ZIP extraction.

  • Update Dokploy to a version that includes the fix for this vulnerability, which adds validation to reject dangerous path traversal patterns.
  • Implement input validation for ZIP files to ensure no path traversal sequences are present.
  • Run deployment processes with non-root privileges to limit the impact of any exploitation.
  • Consider sandboxing or isolating the extraction process to prevent writes outside intended directories.
  • Review and remove any suspicious files or cron jobs that may have been created by exploitation attempts.
Compliance Impact

This vulnerability enables arbitrary file writes, remote code execution, complete server compromise, and data exfiltration without user interaction. Such impacts can lead to unauthorized access and disclosure of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Specifically, the ability to exfiltrate sensitive files and install persistent backdoors compromises confidentiality, integrity, and availability of data, potentially resulting in non-compliance with regulations that mandate strict controls over personal and protected health information.

Therefore, organizations using vulnerable versions of Dokploy risk failing to meet compliance obligations related to data security and breach prevention.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45661. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart