Executive Summary

CVE-2026-45663 is a critical command injection vulnerability in Dokploy, a self-hostable Platform as a Service. It affects versions 0.29.1 and earlier in the Docker file upload functionality.

The vulnerability arises because the destinationPath parameter is not properly sanitized and is directly inserted into a shell command string. This allows an authenticated user to include shell metacharacters such as ; or " to escape the intended docker cp command and execute arbitrary operating system commands on the Dokploy host.

An attacker can exploit this by intercepting a file upload request and setting the destinationPath to a malicious payload, which could lead to unauthorized command execution on the host system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability has a critical impact with a CVSS score of 9.9, indicating severe consequences for confidentiality, integrity, and availability.

• An attacker with low privileges and network access can execute arbitrary OS commands on the Dokploy host.
• This can lead to unauthorized data access or modification, system compromise, and potential disruption of services.
• Because the attack requires no user interaction and can be performed remotely, it poses a high risk to affected systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring file upload requests to the Dokploy service, specifically targeting the Docker file upload functionality. An attacker exploits the destinationPath parameter by injecting shell metacharacters such as ; or ".

One way to detect exploitation attempts is to inspect HTTP requests to the uploadFileToContainer endpoint for suspicious destinationPath values containing shell metacharacters or command injection payloads.

Additionally, on the host system, you can check for unexpected files created by injected commands, such as files in /tmp/ (e.g., /tmp/pwned_upload) which may indicate exploitation.

• Use network traffic inspection tools (e.g., tcpdump, Wireshark) to capture HTTP POST requests to the Dokploy upload endpoint and search for suspicious destinationPath parameters.
• On the host, run commands like: `ls -l /tmp/` to look for unexpected files created by injected commands.
• Check process execution logs or audit logs for unusual shell commands executed by the Dokploy service user.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Dokploy service to trusted users only, as exploitation requires authentication.

Avoid uploading files with untrusted destinationPath parameters until the vulnerability is patched.

Apply the recommended code changes: replace string interpolation in shell commands with safer alternatives like execFile or spawn using argument arrays, and validate the destinationPath parameter against a strict regex that disallows shell metacharacters.

Update Dokploy to a version later than 0.29.1 where this vulnerability is fixed.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users to execute arbitrary OS commands on the Dokploy host, which can lead to a critical impact on confidentiality, integrity, and availability of the system.

Such a compromise could result in unauthorized access to sensitive data or disruption of services, potentially causing non-compliance with standards and regulations like GDPR and HIPAA that require protection of data confidentiality and integrity.

However, the provided information does not explicitly detail the direct effects on compliance with these regulations.

Useful 0 Not Useful 0