CVE-2026-45663 Dokploy CVE debrief

Who should care

Organizations running self-hosted Dokploy instances for application deployment and container management, particularly those exposing administrative interfaces to broader networks or with multi-tenant access patterns.

Technical summary

The vulnerability resides in Dokploy's file upload feature for containers. When an authenticated user uploads a file, the destinationPath parameter is concatenated directly into a shell command string without proper sanitization. This allows injection of shell control characters (semicolons, quotes, backticks, etc.) that terminate the intended docker cp command and introduce arbitrary command execution. The attack requires valid authentication but no user interaction, and successful exploitation grants command execution on the Dokploy host with potential container escape implications due to docker daemon access.

Defensive priority

critical

Recommended defensive actions

• Upgrade Dokploy to a version newer than 0.29.1 once a patched release is available
• Restrict network access to Dokploy administrative interfaces to trusted administrative hosts only
• Implement input validation and sanitization for all file upload destination paths, rejecting shell metacharacters
• Review container runtime configurations to apply principle of least privilege for docker daemon access
• Enable comprehensive audit logging for file upload operations and command execution events
• Consider network segmentation to isolate Dokploy management plane from production workloads

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-9m66-74x3-5mwr. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H indicates network-accessible, low-complexity attack requiring low privileges with scope change and complete CIA impact. CWE-77 (Command Injection) classified as secondary weakness source. NVD status 'Deferred' suggests ongoing analysis.

Official resources