CVE-2026-45629 Dokploy CVE debrief

Who should care

Organizations running self-hosted Dokploy instances for PaaS operations; DevOps and platform engineering teams; security teams managing container orchestration infrastructure.

Technical summary

The `/listen-deployment` WebSocket endpoint in Dokploy ≤0.28.8 fails to properly sanitize user input before passing it to system shell commands. An authenticated organization member can inject arbitrary OS commands through this endpoint, which are then executed on remote servers under Dokploy management. The vulnerability requires low privileges (any org member) and no user interaction, with changed scope indicating impact beyond the vulnerable component to managed infrastructure.

Defensive priority

P0 - Critical

Recommended defensive actions

• Upgrade Dokploy to a version newer than 0.28.8 as soon as a patched release is available from the vendor.
• Restrict organization membership to trusted administrators only until patching is complete.
• Monitor WebSocket connections to the `/listen-deployment` endpoint for anomalous patterns or unexpected command execution.
• Review server logs for indicators of unauthorized command execution on managed remote servers.
• Implement network segmentation to limit Dokploy management plane access to authorized administrative hosts.

Evidence notes

The vulnerability was disclosed via GitHub Security Advisory GHSA-r73h-qr3p-hf7f and indexed by NVD. The affected component is the `/listen-deployment` WebSocket endpoint in Dokploy ≤0.28.8. The weakness is classified as CWE-78 (OS Command Injection). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L.

Official resources