Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.
Published: 2026-05-18
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokploy allows an attacker to inject arbitrary shell commands through the appName field during application creation. The injected commands are executed with server‑level privileges when service operations such as start, stop, remove, or scale are performed. This is a classic command injection flaw, identified as CWE-78, that can lead to full system compromise. The vulnerability exists because the appName is sanitized only by replacing spaces and lower‑casing, no schema validation, and is then directly interpolated into shell commands. The impact is critical, exposing the host operating system to arbitrary execution.

Affected Systems

The affected product is Dokploy, a self‑hostable Platform as a Service, version 0.26.6 and earlier. Users of any of these releases are vulnerable if they create or operate services with potentially malicious application names.

Risk and Exploitability

The CVSS score is 9.9, indicating a critical severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. An authenticated attacker who can create an application can inject characters such as ;, $(), backticks, |, and & into the appName. When the attacker later triggers a service operation, the injected command runs with the privileges of the Dokploy service, leading to complete compromise. The risk is high and the exploitation window remains open until affected installations are updated.

Generated by OpenCVE AI on May 18, 2026 at 22:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Dokploy version 0.26.7 or later, which removes the command injection flaw.
  • Audit existing application names for unsafe characters and either delete or rename them using a safe naming convention to eliminate malicious payloads.
  • Restrict the ability to create or modify application names to trusted administrators or enforce input validation that rejects shell metacharacters.

Generated by OpenCVE AI on May 18, 2026 at 22:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 18 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Mon, 18 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.
Title Dokploy has Command Injection in its Service Operations
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T20:58:42.885Z

Reserved: 2026-02-17T18:42:27.044Z

Link: CVE-2026-27130

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-18T21:16:39.890

Modified: 2026-05-18T21:16:39.890

Link: CVE-2026-27130

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-18T22:30:25Z

Weaknesses