CVE-2026-45630 Overview
CVE-2026-45630 is an authenticated operating system command injection vulnerability in Dokploy, a self-hostable Platform as a Service (PaaS). The flaw resides in the application.updateTraefikConfig tRPC endpoint and affects Dokploy versions 0.28.8 and earlier. Admin or owner accounts can inject shell metacharacters into unsanitized echo interpolation, executing arbitrary commands on remote servers managed by Dokploy. The weakness maps to [CWE-78] Improper Neutralization of Special Elements used in an OS Command.
Critical Impact
An authenticated administrator can execute arbitrary system commands on managed Dokploy hosts, leading to full server compromise across the PaaS fleet.
Affected Products
- Dokploy versions 0.28.8 and earlier
- Dokploy application.updateTraefikConfig tRPC endpoint
- Dokploy-managed remote servers receiving Traefik configuration updates
Discovery Timeline
- 2026-05-29 - CVE-2026-45630 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-45630
Vulnerability Analysis
Dokploy exposes the application.updateTraefikConfig procedure through its tRPC API to let administrators modify Traefik reverse-proxy configuration on managed servers. The handler passes user-supplied input into a shell echo invocation without escaping or argument separation. Authenticated users with the admin or owner role can embed shell metacharacters such as backticks, $(), or ; to break out of the intended string context and execute arbitrary commands.
Because Dokploy frequently orchestrates configuration changes on remote nodes over SSH, the injected commands run on the target server with the privileges Dokploy uses to manage it. This converts a configuration update endpoint into a remote code execution primitive across every server the platform controls.
Root Cause
The root cause is unsafe string interpolation of attacker-controlled values into a shell command line ([CWE-78]). The updateTraefikConfig flow concatenates configuration values directly into an echo ... > shell pipeline rather than using parameterized writes, argument arrays, or proper shell-quoting. No input validation rejects shell metacharacters before the command is built.
Attack Vector
The attack is network-reachable and requires high-privilege authentication (admin or owner). An authenticated attacker submits a crafted Traefik configuration payload to the tRPC endpoint. The payload contains shell metacharacters that terminate the intended echo argument and append additional commands. When Dokploy applies the configuration, the appended commands execute on the target server. Refer to the GitHub Security Advisory GHSA-p787-6gqg-cvp5 for vendor technical details.
// No verified exploit code is published.
// See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-45630
Indicators of Compromise
- Unexpected child processes spawned by the Dokploy server process or its SSH sessions, particularly shells invoking sh -c with concatenated echo payloads.
- Traefik configuration files containing shell metacharacters (;, `, $(, |, &&) inside fields that should hold only routing strings.
- Outbound network connections from managed nodes immediately following calls to application.updateTraefikConfig.
Detection Strategies
- Inspect Dokploy audit logs and tRPC request bodies for application.updateTraefikConfig calls containing shell control characters in user-controlled fields.
- Correlate configuration-update events with process-execution telemetry on managed servers to identify command execution outside expected Traefik reload behavior.
- Hunt for unauthorized admin or owner role assignments preceding updateTraefikConfig invocations.
Monitoring Recommendations
- Forward Dokploy application logs and SSH session logs from managed hosts to a centralized log platform with retention sufficient for incident response.
- Alert on new persistence artifacts such as cron entries, systemd units, or SSH authorized_keys modifications on Dokploy-managed nodes.
- Monitor Dokploy administrator account creation, role escalation, and API token issuance events.
How to Mitigate CVE-2026-45630
Immediate Actions Required
- Upgrade Dokploy to a version later than 0.28.8 that includes the fix referenced in advisory GHSA-p787-6gqg-cvp5.
- Restrict admin and owner role membership to a minimal set of trusted operators and rotate any credentials shared with offboarded users.
- Review recent application.updateTraefikConfig activity and audit managed servers for unexpected processes, files, or outbound connections.
Patch Information
The maintainers documented the issue and remediation in the Dokploy GitHub Security Advisory GHSA-p787-6gqg-cvp5. Apply the fixed release published after 0.28.8 and redeploy any Dokploy instances exposed to administrative users.
Workarounds
- Place the Dokploy management interface behind a VPN or IP allow list to limit who can reach the tRPC endpoint until patching is complete.
- Enforce multi-factor authentication on all admin and owner accounts to reduce the risk of credential abuse against the privileged endpoint.
- Temporarily restrict use of the Traefik configuration update feature and review changes manually before applying them to managed servers.
# Verify Dokploy version and update to a patched release
docker inspect dokploy --format '{{.Config.Image}}'
docker pull dokploy/dokploy:latest
docker compose -f /etc/dokploy/docker-compose.yml up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
