CVE-2026-45629 Overview
CVE-2026-45629 is an authenticated operating system (OS) command injection vulnerability in Dokploy, a self-hostable Platform as a Service (PaaS). The flaw resides in the /listen-deployment WebSocket endpoint and affects versions 0.28.8 and earlier. Any authenticated organization member can inject arbitrary shell commands that execute on remote servers managed by Dokploy. Successful exploitation results in full compromise of every server controlled by the Dokploy instance. The issue is classified under CWE-78, Improper Neutralization of Special Elements used in an OS Command.
Critical Impact
A low-privileged authenticated user can execute arbitrary OS commands on all servers managed by Dokploy, leading to full server takeover and lateral movement across the managed infrastructure.
Affected Products
- Dokploy versions 0.28.8 and earlier
- Self-hosted Dokploy PaaS deployments
- Remote servers registered to and managed by a vulnerable Dokploy instance
Discovery Timeline
- 2026-05-29 - CVE-2026-45629 published to the National Vulnerability Database (NVD)
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45629
Vulnerability Analysis
Dokploy exposes a WebSocket endpoint at /listen-deployment used to stream deployment activity to authenticated clients. The endpoint accepts client-supplied parameters that are passed into a shell context without proper neutralization of metacharacters. An authenticated organization member can supply crafted input containing shell separators such as ;, &&, or backticks. The server then executes the injected command on the remote host targeted by the deployment listener.
Because Dokploy orchestrates deployments across remote machines, command execution occurs in the context of the Dokploy deployment process on those remote servers. The result is arbitrary command execution beyond the boundary of the Dokploy controller, expanding the blast radius to every managed node. Authentication is required, but membership in any organization on the instance is sufficient — no administrative privileges are needed.
Root Cause
The root cause is improper input validation and lack of argument sanitization in the handler backing the /listen-deployment WebSocket. User-controlled parameters reach an OS command invocation through string concatenation rather than parameterized execution. This pattern matches CWE-78 and converts an authenticated feature into a remote code execution primitive.
Attack Vector
The attack vector is network-based and requires only low-privilege authentication. An attacker authenticates to Dokploy as a standard organization member and opens a WebSocket connection to /listen-deployment. The attacker submits a parameter value containing shell metacharacters followed by the desired command. The server passes the value to a shell, executing the injected command on the targeted managed server. See the Dokploy GitHub Security Advisory GHSA-r73h-qr3p-hf7f for technical details.
Detection Methods for CVE-2026-45629
Indicators of Compromise
- Unexpected WebSocket connections to the /listen-deployment endpoint from non-administrative accounts
- Shell metacharacters such as ;, |, &&, or backticks appearing in WebSocket message payloads sent to Dokploy
- Child processes spawned by the Dokploy deployment service that are not part of normal deployment workflows
- Outbound network connections from managed servers to attacker-controlled infrastructure shortly after deployment events
Detection Strategies
- Inspect Dokploy application logs for /listen-deployment requests containing shell metacharacters in parameters
- Correlate WebSocket session identifiers with the spawning of unexpected processes such as sh, bash, curl, or wget on managed hosts
- Alert on Dokploy organization members issuing deployment listener calls outside of expected change windows
Monitoring Recommendations
- Capture process creation telemetry on every server managed by Dokploy and baseline the normal command set
- Forward Dokploy reverse-proxy and application logs to a centralized log platform for retention and search
- Monitor for new persistence artifacts on managed servers, including cron jobs, systemd units, and SSH authorized_keys modifications
How to Mitigate CVE-2026-45629
Immediate Actions Required
- Upgrade Dokploy to a version later than 0.28.8 that contains the fix referenced in GHSA-r73h-qr3p-hf7f
- Restrict network access to the Dokploy control plane so that only trusted operator networks can reach the web and WebSocket endpoints
- Audit organization membership and remove accounts that no longer require access
- Rotate credentials, API tokens, and SSH keys for any server managed by a Dokploy instance suspected of exposure
Patch Information
The Dokploy maintainers released a patched version that fixes the command injection in the /listen-deployment handler. Refer to the Dokploy GitHub Security Advisory for the exact fixed version and upgrade instructions. Self-hosted operators should plan an upgrade window and verify the deployment after the update.
Workarounds
- Place the Dokploy interface behind a VPN or zero-trust proxy to limit who can authenticate against the WebSocket endpoint
- Enforce strict organization invitation policies and disable open self-registration where applicable
- Review managed server access and ensure each Dokploy agent runs with the least privilege required for deployments
# Example: restrict the Dokploy reverse proxy to an internal admin CIDR
# (adjust to match your environment)
location /listen-deployment {
allow 10.0.0.0/24;
deny all;
proxy_pass http://dokploy_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
