CVE-2026-45662
Docker Command Injection in Dokploy via Registry Deletion
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.29.0 (inc) |
| dokploy | dokploy | to 0.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45662 is a command injection vulnerability in Dokploy's registry deletion functionality. It occurs because the deleteRegistry function executes the command `docker logout ${response.registryUrl}` without properly escaping the registryUrl value.
While the docker login command in the same code correctly uses a shell escaping function to prevent command injection, the docker logout command does not, allowing an attacker to inject malicious shell commands.
An attacker with registry management permissions can create a registry with a specially crafted registryUrl containing shell metacharacters (like semicolons or pipes). When this registry is deleted, the injected commands are executed on the server.
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution (RCE) on the Dokploy host, allowing an attacker to run arbitrary commands on the server.
The impact includes potential full server compromise, lateral movement to other systems, and unauthorized access to the Docker daemon, which could enable container escape.
Because of these risks, the vulnerability has a high severity score of 8.8 (CVSS v3.1), reflecting its high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or suspicious command executions related to the docker logout command that includes unexpected special characters or command injection patterns in the registryUrl parameter.
Since the vulnerability involves command injection via the registryUrl during the deletion of a registry, you can look for commands executed on the host that include docker logout followed by suspicious strings containing shell metacharacters such as semicolons (;), pipes (|), or command substitutions.
Suggested commands to detect potential exploitation attempts include:
- Check process execution logs or audit logs for docker logout commands with unusual arguments: `grep -E 'docker logout.*[;|$()]' /var/log/audit/audit.log`
- Use system auditing tools like auditd to monitor execution of docker logout commands and alert on suspicious parameters.
- Inspect Dokploy application logs for registry deletion requests containing registryUrl values with special shell characters.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the execution of unescaped shell commands with user-controlled input in the Dokploy application.
Specifically, ensure that the docker logout command in the deleteRegistry function uses proper shell escaping, similar to the docker login command, by applying the shEscape() function to the registryUrl parameter.
Additional steps include:
- Restrict registryUrl input validation to disallow special shell characters that can be used for command injection.
- Limit registry management permissions to trusted users only, as exploitation requires authenticated access with these permissions.
- Monitor and audit registry deletion operations for suspicious activity.
- Apply any available patches or updates from Dokploy that address this vulnerability.