CVE-2026-45663
Command Injection in Dokploy via Docker File Upload
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.29.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45663 is a critical command injection vulnerability in Dokploy, a self-hostable Platform as a Service. It affects versions 0.29.1 and earlier in the Docker file upload functionality.
The vulnerability arises because the destinationPath parameter is not properly sanitized and is directly inserted into a shell command string. This allows an authenticated user to include shell metacharacters such as ; or " to escape the intended docker cp command and execute arbitrary operating system commands on the Dokploy host.
An attacker can exploit this by intercepting a file upload request and setting the destinationPath to a malicious payload, which could lead to unauthorized command execution on the host system.
How can this vulnerability impact me? :
This vulnerability has a critical impact with a CVSS score of 9.9, indicating severe consequences for confidentiality, integrity, and availability.
- An attacker with low privileges and network access can execute arbitrary OS commands on the Dokploy host.
- This can lead to unauthorized data access or modification, system compromise, and potential disruption of services.
- Because the attack requires no user interaction and can be performed remotely, it poses a high risk to affected systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring file upload requests to the Dokploy service, specifically targeting the Docker file upload functionality. An attacker exploits the destinationPath parameter by injecting shell metacharacters such as ; or ".
One way to detect exploitation attempts is to inspect HTTP requests to the uploadFileToContainer endpoint for suspicious destinationPath values containing shell metacharacters or command injection payloads.
Additionally, on the host system, you can check for unexpected files created by injected commands, such as files in /tmp/ (e.g., /tmp/pwned_upload) which may indicate exploitation.
- Use network traffic inspection tools (e.g., tcpdump, Wireshark) to capture HTTP POST requests to the Dokploy upload endpoint and search for suspicious destinationPath parameters.
- On the host, run commands like: `ls -l /tmp/` to look for unexpected files created by injected commands.
- Check process execution logs or audit logs for unusual shell commands executed by the Dokploy service user.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the Dokploy service to trusted users only, as exploitation requires authentication.
Avoid uploading files with untrusted destinationPath parameters until the vulnerability is patched.
Apply the recommended code changes: replace string interpolation in shell commands with safer alternatives like execFile or spawn using argument arrays, and validate the destinationPath parameter against a strict regex that disallows shell metacharacters.
Update Dokploy to a version later than 0.29.1 where this vulnerability is fixed.