CVE-2026-45661
Path Traversal in Dokploy Allows Remote Code Execution
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.26.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-35 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45661 is a critical path traversal vulnerability in Dokploy version 0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment.
The vulnerability arises because Dokploy uses the adm-zip library to extract user-uploaded ZIP files but fails to sanitize the filenames inside these ZIP entries, allowing attackers to traverse outside intended directories.
When combined with Dokploy's remote server deployment feature, this flaw enables arbitrary file writes on remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation.
This vulnerability bypasses all container isolation on remote server deployments, making it highly critical.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Arbitrary file write on both local and remote server filesystems.
- Automatic remote code execution through malicious cron jobs.
- Complete compromise of the affected server.
- Data exfiltration without any user interaction.
- Installation of persistent backdoors, allowing attackers ongoing access.
Because the vulnerability bypasses container isolation on remote deployments, the attacker gains extensive control over the target environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious files or cron jobs that have been written to the filesystem through path traversal during application deployment.
- Look for unexpected or suspicious cron jobs, such as files in /etc/cron.d/ that were not created by administrators.
- Search for recently created or modified files with unusual paths or names that could indicate path traversal exploitation.
- Example command to find suspicious cron jobs: `ls -l /etc/cron.d/`
- Example command to find recently modified files: `find / -type f -mtime -7` (to find files modified in the last 7 days)
- Check deployment logs for ZIP files containing path traversal sequences or unusual file names.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying patches or updates that add path validation and sanitize file paths during ZIP extraction.
- Update Dokploy to a version that includes the fix for this vulnerability, which adds validation to reject dangerous path traversal patterns.
- Implement input validation for ZIP files to ensure no path traversal sequences are present.
- Run deployment processes with non-root privileges to limit the impact of any exploitation.
- Consider sandboxing or isolating the extraction process to prevent writes outside intended directories.
- Review and remove any suspicious files or cron jobs that may have been created by exploitation attempts.