CVE-2026-45661 - Vulnerability Details

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.

Published: 2026-05-29

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A critical path traversal flaw in Dokploy permits authenticated users to write any file to the host filesystem during application deployment. The vulnerability is described by CWE‑22 and CWE‑35 and enables attackers to create or modify system files, inject malicious cron jobs, and ultimately gain full control of the target server. This flaw bypasses container isolation for remote server deployments, allowing direct tampering with remote filesystems and installation of persistent backdoors.

Affected Systems

Affected systems are Dokploy installations running version 0.26.5 or earlier. The platform is a self‑hosted, free Platform as a Service that supports both local and remote deployment of applications; any user with deployment privileges can trigger the vulnerability.

Risk and Exploitability

The CVSS score of 9.9 marks this flaw as critical, and although no EPSS value is available, the potential for widespread exploitation remains high due to the necessity of only an authenticated deployment account. The vulnerability has not yet appeared in the CISA KEV catalog, but its impact suggests it would be considered high‑risk if widely deployed. Attackers could exploit the flaw by authenticating to the application, then deploying an application that writes a malicious script to a location that is executed as a cron job, effectively achieving remote code execution and full server compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dokploy

dokploy

affected

Version	Status	Constraints
`<= 0.26.5`	affected	—

No data.

Vendor Product Confidence Versions

Dokploy

100%

Version	Status	Scheme	Platform
`[0,0.26.5]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Dokploy to the latest version (0.26.6 or later) which removes the path traversal condition
Disable the remote server deployment feature until a patch is applied, preventing the attack vector that allows filesystem writes on remote machines
Restrict the privileges of users who can deploy applications so that only trusted administrators have write access to deployment artifacts
If a patch cannot be applied immediately, monitor for unexpected file writes or new cron jobs that may indicate exploitation attempts

Generated by OpenCVE AI on May 29, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0008.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3

History

Fri, 29 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dokploy Dokploy dokploy
Vendors & Products		Dokploy Dokploy dokploy

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.
Title		Dokploy: Remote Code Execution through Path Traversal
Weaknesses		CWE-22 CWE-35
References		https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Dokploy Dokploy

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T16:07:54.491Z

Updated: 2026-05-29T16:07:54.491Z

Reserved: 2026-05-12T21:59:25.665Z

Link: CVE-2026-45661

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-29T18:17:11.780

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-45661

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object