Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.
Published: 2026-05-29
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokploy’s deleteRegistry function, used in versions 0.29.0 and earlier, invokes the docker logout command without shell escaping, unlike the docker login command which correctly applies shEscape(). The registryUrl parameter is concatenated directly into the logout command, allowing an attacker to insert malicious shell syntax. When a crafted URL is supplied via the deleteRegistry API, arbitrary shell commands are executed on the host running Dokploy, providing an attacker full control over the system.

Affected Systems

Dokploy Platform-as-a-Service, product name Dokploy, affected in all releases up to and including 0.29.0.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as high severity. The EPSS score is not available, but the lack of a CISA KEV listing does not diminish the inherent risk. An attacker who can trigger the deleteRegistry operation—typically an authenticated user with permission to delete registries—can craft the registryUrl to execute arbitrary commands. Successful exploitation results in remote code execution, which can lead to total compromise of the host, data exfiltration, and further lateral movement.

Generated by OpenCVE AI on May 29, 2026 at 17:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Dokploy release that includes proper shell escaping for the docker logout command (any version newer than 0.29.0).
  • If an upgrade is not immediately possible, modify the deleteRegistry implementation to apply the same shEscape() function to the registryUrl before executing docker logout, ensuring that special characters are escaped.
  • Perform a security review of all registry entries to detect and remove any that may have been injected with malicious commands, and audit logs to verify there has been no unauthorized activity.

Generated by OpenCVE AI on May 29, 2026 at 17:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.
Title Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T16:04:51.019Z

Reserved: 2026-05-12T21:59:25.665Z

Link: CVE-2026-45662

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:28.213

Modified: 2026-05-29T16:29:11.350

Link: CVE-2026-45662

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses