CVE-2026-45662 Overview
CVE-2026-45662 is a command injection vulnerability in Dokploy, a free self-hostable Platform as a Service (PaaS). The flaw resides in the deleteRegistry function within packages/server/src/services/registry.ts. Dokploy versions 0.29.0 and earlier execute docker logout ${response.registryUrl} without applying shell escaping. The same source file correctly uses shEscape() for the corresponding docker login command, making the omission an inconsistency rather than a missing safeguard. An authenticated attacker can craft a malicious registryUrl value and trigger arbitrary OS command execution on the Dokploy host when the registry is deleted.
Critical Impact
Authenticated attackers can execute arbitrary commands on the underlying Dokploy server, compromising confidentiality, integrity, and availability of the PaaS host.
Affected Products
- Dokploy 0.29.0
- Dokploy versions prior to 0.29.0
- Self-hosted Dokploy PaaS deployments
Discovery Timeline
- 2026-05-29 - CVE-2026-45662 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45662
Vulnerability Analysis
The vulnerability is classified as OS Command Injection [CWE-78]. Dokploy manages container registries through a server-side service module that wraps the Docker CLI. When an administrator deletes a configured registry, the application invokes docker logout against the URL stored for that registry. The implementation interpolates the stored registryUrl directly into the shell command string without sanitization. Because the registryUrl value is attacker-controllable through the registry creation or update workflow, shell metacharacters embedded in that value are interpreted by the shell at deletion time. The attacker requires low-privilege authenticated access to the Dokploy UI or API to set the malicious value.
Root Cause
The deleteRegistry function in packages/server/src/services/registry.ts constructs the docker logout command using template literal interpolation rather than the project's existing shEscape() helper. The same file applies shEscape() correctly to the docker login path, confirming the project maintains a sanitization primitive that was not consistently applied. The missing escape on the logout branch allows shell metacharacters such as ;, &&, |, and backticks to break out of the intended argument context.
Attack Vector
An attacker with permission to create or modify registry entries supplies a registryUrl containing shell metacharacters and a payload command. The value is persisted in the Dokploy database. When the attacker, or any user, deletes the registry entry, Dokploy passes the unsanitized URL to the shell, executing the injected command under the privileges of the Dokploy server process. Network access to the Dokploy management interface is sufficient for exploitation.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-827c-7x62-29jq for the upstream technical description.
Detection Methods for CVE-2026-45662
Indicators of Compromise
- Registry entries in the Dokploy database whose registryUrl field contains shell metacharacters such as ;, &&, |, $(, or backticks.
- Unexpected child processes spawned by the Dokploy Node.js process, particularly shells (sh, bash) invoking commands unrelated to Docker.
- Audit log entries showing registry deletion events immediately followed by anomalous process execution on the host.
Detection Strategies
- Inspect application logs for deleteRegistry invocations and correlate them with process execution telemetry on the host.
- Hunt for outbound network connections initiated by processes that are descendants of the Dokploy service following registry CRUD operations.
- Review database records for stored registry URLs that do not match the expected URL grammar.
Monitoring Recommendations
- Enable command-line auditing on the Dokploy host to capture full arguments of docker invocations and any spawned shells.
- Forward Dokploy application logs and host process telemetry to a centralized SIEM and alert on anomalous child processes of the Dokploy runtime.
- Monitor administrative API endpoints handling registry create, update, and delete actions for unusual payload content.
How to Mitigate CVE-2026-45662
Immediate Actions Required
- Upgrade Dokploy to a version later than 0.29.0 that applies shEscape() to the docker logout command path.
- Audit all existing registry entries and remove or normalize any registryUrl values that contain shell metacharacters before performing deletions.
- Restrict access to the Dokploy management interface to trusted administrators and place it behind network-layer access controls.
Patch Information
The vendor advisory is published as GHSA-827c-7x62-29jq. Apply the fixed release identified in that advisory. The remediation extends the use of the existing shEscape() helper to the docker logout invocation in packages/server/src/services/registry.ts.
Workarounds
- Limit registry creation and deletion permissions to a minimal set of trusted operators until the patch is applied.
- Validate registryUrl input at the application boundary, rejecting values that contain characters outside the expected URL character set.
- Run the Dokploy service as an unprivileged user inside a hardened container to reduce the impact of command execution on the host.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
