CVE-2026-45663 - Vulnerability Details

- Dokploy: Remote Code Execution via destinationPath in Container File Upload

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.

Published: 2026-05-29

Score: 9.9 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

In Dokploy versions 0.29.1 and earlier, the Docker file upload feature allows an authenticated user to supply a destinationPath that is not validated and is directly inserted into a shell command. This flaw permits command injection, enabling the attacker to escape the intended docker cp operation and run arbitrary operating‑system commands on the host, resulting in full control over the server. The weakness is described by CWE‑77.

Affected Systems

Dokploy, the free, self‑hostable Platform as a Service, is impacted in all releases up to and including 0.29.1. Users deploying these versions should verify whether they are exposed to the file upload capability and identify the presence of the vulnerable code path.

Risk and Exploitability

The CVSS base score is 9.9, indicating critical impact and remote availability. Although an EPSS value is not provided, the lack of mitigation information and the high CVSS suggest that exploitation is likely in environments where the file upload endpoint is reachable by an authenticated user. The vulnerability is not listed in the CISA KEV catalog, but the combination of authentication requirement and executable command injection makes the risk substantial for any organization running the affected Dokploy versions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Dokploy

dokploy

affected

Version	Status	Constraints
`<= 0.29.1`	affected	—

No data.

Vendor Product Confidence Versions

Dokploy

100%

Version	Status	Scheme	Platform
`[0,0.29.1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Dokploy release that removes the vulnerability or patches the /upload endpoint to sanitize destinationPath and validate the user’s privileges for file uploads.
If an immediate upgrade is not possible, restrict the authentication role that can invoke the file upload API or temporarily disable the upload functionality until a patch can be applied.
Implement server‑side input validation for destinationPath by rejecting any shell metacharacters and ensuring the path is confined to the intended container directory.

Generated by OpenCVE AI on May 29, 2026 at 17:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr

History

Fri, 29 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 29 May 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dokploy Dokploy dokploy
Vendors & Products		Dokploy Dokploy dokploy

Fri, 29 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.1 and earlier, a command injection vulnerability exists in the Docker file upload functionality. When an authenticated user uploads a file to a container, the destinationPath parameter is not properly sanitized and is directly interpolated into a shell command string. By including shell metacharacters such as ; or ", an attacker can escape the intended docker cp command and execute arbitrary OS commands on the Dokploy host.
Title		Dokploy: Remote Code Execution via destinationPath in Container File Upload
Weaknesses		CWE-77
References		https://github.com/Dokploy/dokploy/security/advisories/GHSA-9m66-74x3-5mwr
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Dokploy Dokploy

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-29T16:03:22.999Z

Updated: 2026-05-29T20:40:48.564Z

Reserved: 2026-05-12T21:59:25.665Z

Link: CVE-2026-45663

Vulnrichment

Updated: 2026-05-29T20:40:38.085Z

NVD

Status : Deferred

Published: 2026-05-29T16:16:28.347

Modified: 2026-05-29T21:16:40.203

Link: CVE-2026-45663

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T17:45:04Z

Weaknesses

CWE-77

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object