CVE-2026-27130 Overview
CVE-2026-27130 is an OS command injection vulnerability [CWE-78] in Dokploy, a free self-hostable Platform as a Service (PaaS). The flaw exists in versions 0.26.6 and below. The appName parameter accepts user-controlled input that flows into shell commands without proper sanitization. An authenticated attacker can inject shell metacharacters during application creation. These payloads execute with server-level privileges when service operations such as start, stop, remove, or scale are triggered. The maintainers resolved this issue in version 0.26.7.
Critical Impact
Authenticated attackers can achieve remote code execution on the Dokploy host with server-level privileges, leading to full compromise of the PaaS environment and all hosted applications.
Affected Products
- Dokploy versions 0.26.6 and earlier
- Self-hosted Dokploy PaaS deployments
- Dokploy instances exposing application creation endpoints to authenticated users
Discovery Timeline
- 2026-05-18 - CVE-2026-27130 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-27130
Vulnerability Analysis
The vulnerability stems from three chained weaknesses in Dokploy's application creation and service management flow. User-supplied application names pass through a cleanAppName function that only lowercases input and replaces spaces. No schema validation rejects shell metacharacters. The sanitized value is then interpolated directly into shell commands executed via execAsync() and execAsyncRemote().
An authenticated attacker submits an appName containing characters such as ;, $(), backticks, |, or &. These characters survive sanitization because they are neither spaces nor uppercase letters. When Dokploy later invokes a Docker or service operation referencing the application, the shell interprets the injected metacharacters as command separators or substitutions. The injected commands run under the privileges of the Dokploy server process.
Root Cause
The root cause is missing input validation combined with unsafe shell interpolation. The cleanAppName helper enforces cosmetic normalization rather than security boundaries. Application names are persisted to the database and later concatenated into command strings without quoting or argument-array execution.
Attack Vector
Exploitation requires an authenticated session with permission to create applications or compose services. The attacker creates an application with a malicious appName. Any subsequent lifecycle action triggers shell execution of the injected payload on the Dokploy host or remote target node.
// Patch: packages/server/src/db/schema/application.ts
// Adds regex-based validation for appName at the schema layer
-import { generateAppName } from "./utils";
+import { APP_NAME_MESSAGE, APP_NAME_REGEX, generateAppName } from "./utils";
export const sourceType = pgEnum("sourceType", [
"docker",
"git",
Source: GitHub Commit 960892f
The patch introduces APP_NAME_REGEX and APP_NAME_MESSAGE constants applied across both application.ts and compose.ts schemas. This enforces character class restrictions before any value reaches shell execution paths.
Detection Methods for CVE-2026-27130
Indicators of Compromise
- Dokploy application records with appName values containing shell metacharacters such as ;, |, &, backticks, or $(...) sequences
- Unexpected child processes spawned by the Dokploy Node.js process, particularly shells, network utilities, or package managers
- Outbound network connections from the Dokploy host to unfamiliar destinations following application lifecycle events
- New SSH keys, cron jobs, or systemd units created on the Dokploy host without change-management records
Detection Strategies
- Query the Dokploy database for application and compose records whose appName does not match the allowed regex pattern enforced in 0.26.7
- Audit process-creation telemetry for shells (sh, bash) spawned as children of the Dokploy server process around application start, stop, remove, or scale events
- Review Dokploy application logs for service operations that correlate with anomalous process trees or outbound traffic
Monitoring Recommendations
- Enable endpoint detection and response telemetry on Dokploy hosts to capture process lineage and command-line arguments
- Forward Dokploy audit logs and host process events to a central analytics platform for correlation across lifecycle actions
- Alert on creation of administrative accounts, scheduled tasks, or persistence artifacts on PaaS hosts following recent application changes
How to Mitigate CVE-2026-27130
Immediate Actions Required
- Upgrade Dokploy to version 0.26.7 or later on all self-hosted instances
- Restrict application-creation permissions to trusted administrative users until the upgrade is complete
- Review existing application and compose records for appName values containing shell metacharacters and remove or rename them
- Rotate credentials, SSH keys, and API tokens stored on the Dokploy host if compromise is suspected
Patch Information
The fix is in commit 960892fd8dcf12b7a73a00edaa1b7090fca860c7, released in Dokploy 0.26.7. The patch adds APP_NAME_REGEX validation at the database schema layer in both application.ts and compose.ts. Details are available in the GitHub Security Advisory GHSA-fcgq-jjfg-hrhj.
Workarounds
- Place the Dokploy management interface behind a VPN or IP allowlist to limit who can authenticate
- Disable application-creation and compose-creation endpoints for non-administrative roles where feasible
- Add a reverse-proxy WAF rule rejecting requests whose appName field contains characters outside [a-z0-9-]
# Upgrade Dokploy to the patched release
docker pull dokploy/dokploy:0.26.7
docker service update --image dokploy/dokploy:0.26.7 dokploy
# Verify the running version
docker service inspect dokploy --format '{{.Spec.TaskTemplate.ContainerSpec.Image}}'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
