Impact
A command injection flaw exists in Dokploy’s WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly inserted into shell commands without sanitization, allowing an authenticated user to execute arbitrary shell commands on the host. This flaw enables remote code execution with full control over the underlying operating system, compromising confidentiality, integrity, and availability.
Affected Systems
All installations of Dokploy prior to version 0.26.6 are affected. The vulnerable component is the self‑hosted Platform as a Service application Dokploy. Upgrading to version 0.26.6 or later removes the untrusted input from the shell command construction and resolves the issue.
Risk and Exploitability
The CVSS score of 9.9 classifies this vulnerability as critical. The EPSS score is 3%, indicating a low probability of exploitation. The flaw is accessible through a remote WebSocket interface and requires only authenticated access; no additional local privileges are required. Although the vulnerability is not listed in the CISA KEV catalog, the combination of high severity and the authentication requirement means that any environment running a vulnerable version of Dokploy should treat it as a top‑priority issue.
OpenCVE Enrichment