PatchSiren cyber security CVE debrief
CVE-2026-27130 Dokploy CVE debrief
CVE-2026-27130 is a critical command injection flaw in Dokploy affecting versions 0.26.6 and below. User-controlled application names can pass through weak sanitization, bypass missing schema validation, and reach shell commands through direct interpolation. In practice, an authenticated attacker who controls appName during application creation may be able to trigger server-side command execution when service operations such as start, stop, remove, or scale are performed. Dokploy states the issue is fixed in 0.26.7.
- Vendor
- Dokploy
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-18
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-18
- Advisory updated
- 2026-05-19
Who should care
Dokploy administrators, platform operators, and security teams responsible for self-hosted PaaS deployments, especially any environment still running Dokploy 0.26.6 or earlier. Organizations that allow lower-trust users to create or manage applications should treat this as high priority because the vulnerable path is reachable after authentication.
Technical summary
The vulnerability combines three weaknesses: inadequate input sanitization, lack of schema validation, and direct shell interpolation. The appName field is only lightly normalized by cleanAppName, which replaces spaces and lowercases the value, but it does not neutralize shell metacharacters. That value is then passed into execAsync() and execAsyncRemote(), allowing injected shell syntax to be interpreted by the system shell. The NVD record maps this to CWE-78 and uses a CVSS v3.1 vector of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.
Defensive priority
Urgent. This is a network-reachable, authenticated command injection with critical CVSS severity and potential impact to confidentiality, integrity, and availability. Prioritize upgrading affected instances to 0.26.7 before routine maintenance work.
Recommended defensive actions
- Upgrade Dokploy to version 0.26.7 or later immediately.
- Inventory all Dokploy deployments and confirm no instance remains on version 0.26.6 or below.
- Review application naming controls and ensure any future validation rejects shell metacharacters rather than only normalizing spaces or case.
- Limit who can create or manage applications in Dokploy to the minimum necessary set of authenticated users.
- After upgrading, review existing application names for unexpected characters and check service-operation activity for anything anomalous around the exposure window.
Evidence notes
The official sources identify Dokploy versions 0.26.6 and below as affected and state that the issue is resolved in 0.26.7. The GitHub advisory and commit are listed in NVD references, and the NVD record shows vulnStatus as Deferred with a CWE-78 mapping and CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. This debrief relies only on the supplied CVE record, NVD metadata, and the linked GitHub advisory/commit.
Official resources
CVE published at 2026-05-18T21:16:39.890Z and last modified at 2026-05-19T17:16:21.520Z. The supplied NVD record was also updated on 2026-05-19 and points to the GitHub advisory and fix commit for Dokploy.