PatchSiren cyber security CVE debrief

CVE-2026-45661 Dokploy CVE debrief

A critical path traversal vulnerability in Dokploy v0.26.5 and earlier allows authenticated users to write arbitrary files to the filesystem during application deployment. When exploited in conjunction with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file writes to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. The vulnerability effectively bypasses container isolation on remote server deployments. The issue was disclosed on May 29, 2026, with a CVSS 3.1 score of 9.9 (Critical). The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-35 (Path Traversal).

Vendor: Dokploy
Product: Unknown
CVSS: CRITICAL 9.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-29
Original CVE updated: 2026-05-29
Advisory published: 2026-05-29
Advisory updated: 2026-05-29

Who should care

Organizations running Dokploy v0.26.5 or earlier for self-hosted Platform-as-a-Service deployments, particularly those utilizing the remote server deployment feature to manage distributed infrastructure. Security teams responsible for container orchestration security, DevOps engineers managing Dokploy instances, and system administrators overseeing servers connected to Dokploy remote deployments should prioritize immediate assessment and patching.

Technical summary

The vulnerability stems from insufficient path validation during the application deployment process in Dokploy v0.26.5 and earlier. Authenticated users can manipulate file paths in deployment requests to traverse outside intended directories, resulting in arbitrary file writes to the host filesystem. When Dokploy's remote server deployment feature is enabled, this path traversal propagates to connected remote servers, allowing attackers to write files to arbitrary locations on those systems. Attackers can leverage this capability to inject malicious cron jobs, establish persistent backdoors, exfiltrate data, or achieve complete server compromise. The vulnerability bypasses container isolation mechanisms because the file write operations occur on the host filesystem outside container boundaries. The attack requires low privileges (authenticated user), no user interaction, and is exploitable over the network with changed scope (affecting resources beyond the vulnerable component).

Defensive priority

critical

Recommended defensive actions

Upgrade Dokploy to a version newer than v0.26.5 as soon as a patched release is available from the vendor.
Restrict authenticated access to Dokploy deployments to trusted administrative users only; review and audit all existing user accounts with deployment privileges.
Disable or restrict the remote server deployment feature until patching is complete, or implement additional network segmentation to isolate Dokploy-managed servers from sensitive internal resources.
Monitor filesystem and cron job configurations on all Dokploy-managed servers for unauthorized modifications, particularly in system directories and user crontabs.
Review application deployment logs for anomalous file write operations or path traversal indicators (e.g., sequences like ../ or encoded variants) in deployment requests.
Implement file integrity monitoring on critical system paths and cron directories on servers managed by Dokploy to detect unauthorized file writes.
If immediate patching is not feasible, consider deploying Dokploy in an isolated environment with restricted outbound connectivity and enhanced logging for forensic purposes.

Evidence notes

Official CVE record published 2026-05-29T18:17:11.780Z; modified 2026-05-29T20:25:00.760Z. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. Source: NVD with reference to GitHub Security Advisory GHSA-66v7-g3fh-47h3.

Official resources

2026-05-29