PatchSiren cyber security CVE debrief
CVE-2026-45630 Dokploy CVE debrief
A critical OS command injection vulnerability in Dokploy, a self-hostable Platform-as-a-Service (PaaS) solution, allows authenticated admin or owner users to execute arbitrary system commands on remote servers. The vulnerability exists in the `application.updateTraefikConfig` tRPC endpoint in versions 0.28.8 and earlier, where unsanitized user input is interpolated into shell `echo` commands. This represents a classic command injection weakness (CWE-78) where attacker-controlled data reaches a shell command without proper sanitization or parameterization. The CVSS 3.1 score of 9.0 reflects high impact across confidentiality, integrity, and availability with network attack vector, low attack complexity, and high privileges required—but notably with scope change (S:C), indicating the vulnerable component impacts resources beyond its security scope. The vulnerability was disclosed via GitHub Security Advisory and entered into NVD with deferred status as of the May 29, 2026 publication date.
- Vendor
- Dokploy
- Product
- Unknown
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running self-hosted Dokploy instances for application deployment and infrastructure management; security teams responsible for PaaS and container orchestration platforms; DevOps engineers with administrative access to Dokploy deployments; incident response teams tracking command injection patterns in cloud-native tooling
Technical summary
The `application.updateTraefikConfig` tRPC endpoint in Dokploy ≤0.28.8 passes user-supplied input directly into shell `echo` commands without sanitization, enabling authenticated administrators to inject arbitrary operating system commands. The endpoint's use of shell interpolation creates a command injection vector where metacharacters and command separators in user input are interpreted by the underlying shell. This vulnerability is particularly dangerous in a PaaS context where successful exploitation could compromise not only the Dokploy management host but also downstream application deployments and infrastructure under its control, consistent with the scope change (S:C) in the CVSS vector.
Defensive priority
critical
Recommended defensive actions
- Upgrade Dokploy to a version newer than 0.28.8 as soon as a patched release is available
- Restrict admin and owner role assignments to trusted personnel only
- Implement network segmentation to limit Dokploy management interface exposure
- Monitor for suspicious process execution patterns from the Dokploy application context
- Review audit logs for unexpected Traefik configuration changes or shell command execution
- Consider implementing additional command injection detection at the WAF or runtime protection layer if immediate patching is not feasible
Evidence notes
Vulnerability confirmed through GitHub Security Advisory GHSA-p787-6gqg-cvp5. NVD entry shows deferred status with CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L vector. CWE-78 (OS Command Injection) classified as primary weakness. Affected versions explicitly stated as 0.28.8 and earlier.
Official resources
-
CVE-2026-45630 CVE record
CVE.org
-
CVE-2026-45630 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29