Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.
Published: 2026-05-29
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokploy 0.28.8 and earlier contain an authenticated operating‑system command injection flaw in the application.updateTraefikConfig tRPC endpoint. The vulnerability arises from unsanitized echo shell interpolation, allowing any authenticated admin or owner to run arbitrary system commands on the remote host. This is a classic OS command injection, mapped to CWE‑78, and can compromise confidentiality, integrity, and availability of the underlying server.

Affected Systems

The affected product is Dokploy, a self‑hostable Platform as a Service. Only versions 0.28.8 and prior are vulnerable, regardless of other platform features.

Risk and Exploitability

With a CVSS score of 9, this flaw provides high‑severity remote code execution to privileged users. Because it requires administrator or owner authentication, the attack surface is limited to users with elevated roles, but the repercussions of successful exploitation are severe. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is authenticated exploitation via the updateTraefikConfig endpoint.

Generated by OpenCVE AI on May 29, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokploy to the latest release that fixes the command injection in the updateTraefikConfig endpoint.
  • If an upgrade is not immediately possible, revoke or restrict admin/owner privileges on the affected instances.
  • Employ network segmentation or firewall rules to limit external reachability of the vulnerable API endpoint until a fix can be applied.

Generated by OpenCVE AI on May 29, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.
Title Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T16:15:36.086Z

Reserved: 2026-05-12T20:31:43.450Z

Link: CVE-2026-45630

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:11.103

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45630

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses