CVE-2026-45662 Dokploy CVE debrief

Who should care

Organizations running self-hosted Dokploy instances at version 0.29.0 or earlier, particularly those with multi-user environments where untrusted users may configure container registries. DevOps teams using Dokploy for production deployments should prioritize patching due to the high confidentiality, integrity, and availability impact.

Technical summary

The deleteRegistry function constructs a shell command using template literal interpolation: docker logout ${response.registryUrl}. Without shEscape() or equivalent sanitization, malicious registryUrl values containing shell metacharacters (semicolons, backticks, dollar signs, pipes) execute arbitrary commands in the context of the Dokploy server process. The docker login command in the same file demonstrates the correct pattern: docker login ... ${shEscape(response.registryUrl)} ...

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Dokploy to a version newer than 0.29.0 that addresses GHSA-827c-7x62-29jq
• Review all shell command executions in packages/server/src/services/registry.ts for consistent use of shEscape() or equivalent sanitization
• Audit registry configuration interfaces to validate registryUrl format before storage
• Implement defense-in-depth by restricting Dokploy service account permissions to prevent command execution escalation
• Monitor system logs for suspicious docker logout commands or unexpected shell activity from the Dokploy process

Evidence notes

The vulnerability stems from inconsistent input sanitization within the same source file—docker login uses shEscape() while docker logout does not. This pattern suggests a partial security fix or oversight during development. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates network-accessible attack vector with low attack complexity, requiring low privileges but no user interaction, with high impact across confidentiality, integrity, and availability.

Official resources