Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
Published: 2026-05-29
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokploy versions 0.26.6 and earlier are vulnerable to a command injection flaw within the /docker-container-logs WebSocket endpoint. The tail and since query parameters are concatenated directly into shell command strings without validation, giving authenticated users the ability to execute arbitrary shell commands with root privileges. This weakness results in complete compromise of the host operating system as the code runs with elevated rights.

Affected Systems

The affected product is Dokploy, a self‑hosted Platform as a Service. All releases up to and including version 0.26.6 are impacted; any installation of Dokploy 0.26.6 or earlier carries the vulnerability.

Risk and Exploitability

The CVSS score of 9.9 indicates very high severity. The EPSS value is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of a public EPSS score does not diminish the risk posed by the high severity rating. The likely attack vector is via the authenticated WebSocket connection to the /docker-container-logs endpoint, where an attacker can supply crafted tail and since parameters to inject and execute commands.

Generated by OpenCVE AI on May 29, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokploy to version 0.26.7 or later.
  • Restrict authentication to trusted users and revoke unnecessary accounts that have access to the /docker-container-logs endpoint.
  • If upgrading is not immediately possible, implement input validation on the tail and since parameters in any custom deployment to prevent shell injection.

Generated by OpenCVE AI on May 29, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
Title Dokploy: Command Injection in /docker-container-logs Endpoint
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T18:25:04.705Z

Reserved: 2026-05-12T20:31:43.450Z

Link: CVE-2026-45633

cve-icon Vulnrichment

Updated: 2026-05-29T17:33:18.326Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:11.510

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses