CVE-2026-45633 Dokploy CVE debrief

Who should care

Organizations running Dokploy 0.26.6 or earlier for application deployment and container management should prioritize patching. Security teams managing self-hosted PaaS infrastructure and DevOps engineers responsible for container orchestration platforms are particularly affected.

Technical summary

The /docker-container-logs WebSocket endpoint in Dokploy 0.26.6 and earlier fails to validate the tail and since parameters, allowing direct concatenation into shell commands. Authenticated attackers can inject arbitrary commands that execute with root privileges, resulting in complete system compromise.

Defensive priority

Critical

Recommended defensive actions

• Upgrade Dokploy to a version newer than 0.26.6 as soon as a patched version is available
• Review and restrict access to the /docker-container-logs WebSocket endpoint to only trusted authenticated users
• Implement input validation and sanitization for the tail and since parameters before processing
• Consider network segmentation to limit exposure of Dokploy management interfaces
• Monitor for suspicious command execution activity in container environments
• Review audit logs for unauthorized access attempts to the affected endpoint

Evidence notes

The vulnerability affects Dokploy 0.26.6 and earlier. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H indicates network attack vector, low attack complexity, low privileges required, no user interaction, changed scope, and high impact on confidentiality, integrity, and availability.

Official resources