Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
Published: 2026-05-29
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokploy PaaS 0.29.2 and earlier construct shell commands by interpolating unsanitized user input—branch names, repository URLs, and Docker credentials—directly into JavaScript template literals that are executed via child_process.exec. The lack of escaping in these shell calls allows an attacker to insert arbitrary shell commands, effectively hijacking the execution context of the server process. This represents an Input Validation Failure (CWE-20) and a Command Injection (CWE-77).

Affected Systems

The vulnerability affects Dokploy, the free, self‑hosted Platform as a Service platform, for all releases up to and including 0.29.2. Users with application create or edit privileges in the application can trigger the flaw.

Risk and Exploitability

The CVSS score of 9.6 indicates a Critical severity, and the vulnerability is exploitable by any authenticated user who has permission to create or edit applications. Although the EPSS score is not available, the lack of a KEV listing does not mitigate the potential impact. Attackers can leverage the injection to execute arbitrary commands on the host, leading to full system compromise.

Generated by OpenCVE AI on May 29, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokploy to 0.29.3 or a later patched release that sanitizes all branch and repository fields before command execution.
  • If an immediate upgrade is not possible, restrict application create/edit privileges to trusted administrators and disable untrusted user accounts from performing these actions.
  • Implement input validation or sanitization on any branch, repository URL, or Docker credential fields before they are passed to the shell to prevent injection.

Generated by OpenCVE AI on May 29, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
Title Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline
Weaknesses CWE-20
CWE-77
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:29:45.302Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45628

cve-icon Vulnrichment

Updated: 2026-05-29T19:29:32.520Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:10.807

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:00:06Z

Weaknesses