Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.
Published: 2026-05-29
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the /listen-deployment WebSocket endpoint of Dokploy versions 0.28.8 and earlier allows an authenticated user to inject operating system commands. The injected commands run with the privileges of the Dokploy daemon on the host, permitting full control of the remote server. This vulnerability is a classic instance of OS Command Injection (CWE-78) and grants attackers immediate confidentiality, integrity, and availability compromise of the entire system.

Affected Systems

Dokploy Platform as a Service, version 0.28.8 and earlier, is affected. Any organization member with authentication to the instance can exploit the flaw, regardless of the specific deployment environment. Consequently, every instance running a vulnerable version is at risk.

Risk and Exploitability

The CVSS score of 9.9 reflects the severe impact and the fact that the vulnerability requires only authenticated access, which is far less restrictive than many other remote code execution attacks. EPSS data is not available, but the absence of a KEV listing does not mitigate the high likelihood of exploitation in a scenario where users can simply log in. The attack path is straightforward: log in, open a WebSocket to /listen-deployment, and send a crafted payload that is executed on the host. Given the ubiquity of Docker and self‑hosted deployments, this vulnerability is highly actionable.

Generated by OpenCVE AI on May 29, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Dokploy 0.28.9 or later, where the command injection in /listen-deployment has been patched
  • If an immediate upgrade is not possible, limit access to the /listen-deployment WebSocket endpoint to trusted IP addresses or VPN endpoints, blocking all other traffic
  • Monitor WebSocket traffic for anomalous command patterns and enforce strict input validation on the endpoint

Generated by OpenCVE AI on May 29, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.
Title Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T16:40:59.537Z

Reserved: 2026-05-12T20:31:43.449Z

Link: CVE-2026-45629

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:10.953

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45629

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses