Skip to main content

Dokploy CVE-2026-27130

| EUVDEUVD-2026-30809 CRITICAL
OS Command Injection (CWE-78)
2026-05-18 security-advisories@github.com
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 18, 2026 - 22:16 EUVD
Source Code Evidence Fetched
May 18, 2026 - 21:30 vuln.today
Analysis Generated
May 18, 2026 - 21:30 vuln.today

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7.

AnalysisAI

OS command injection in Dokploy self-hosted PaaS (versions <= 0.26.6) allows an authenticated low-privileged user to achieve server-level remote code execution by injecting shell metacharacters into the appName parameter when creating an application or database. The cleanAppName sanitizer only lowercases and strips spaces, leaving characters like ;, $(), backticks, |, and & to be passed directly into execAsync()/execAsyncRemote() shell interpolation when service lifecycle operations run. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV, but the GitHub commit diff publicly demonstrates the vulnerable code path.

Technical ContextAI

Dokploy is a Node.js-based self-hostable Platform-as-a-Service that orchestrates Docker/Docker Swarm services on behalf of users, similar in scope to Heroku or Coolify. The flaw is a classic CWE-78 (OS Command Injection) caused by three compounding weaknesses in packages/server/src/db/schema: (1) the Zod schema for appName was declared as a free-form z.string() with no regex or length bounds, (2) the cleanAppName helper performed only cosmetic normalization (lowercasing and replacing spaces), and (3) the resulting string was concatenated into shell command lines invoked through Node's execAsync/execAsyncRemote helpers used to manage applications, compose stacks, MariaDB, MongoDB, and MySQL services. The fix commit 960892fd8d adds APP_NAME_REGEX validation with min(1)/max(63) length limits to the Zod schemas across application.ts, compose.ts, mariadb.ts, mongo.ts, and mysql.ts, enforcing safe DNS-label-style names at the API boundary.

RemediationAI

Upgrade Dokploy to version 0.26.7 or later, which introduces APP_NAME_REGEX and length validation (min 1, max 63) on the appName Zod schema across application, compose, MariaDB, MongoDB, and MySQL create endpoints, blocking shell metacharacters at the API boundary; details are in GHSA-fcgq-jjfg-hrhj and commit 960892fd8dcf12b7a73a00edaa1b7090fca860c7. If immediate patching is not possible, restrict who can authenticate to the Dokploy instance and remove or downgrade any non-essential users with application-creation privileges, since exploitation requires PR:L; placing the Dokploy control plane behind a VPN or IP allowlist and disabling any public self-registration further narrows exposure, at the cost of reduced collaboration convenience. Review audit logs and existing application records for suspicious appName values containing characters such as ;, |, &, $, or backticks, and rebuild the host if compromise is suspected, since execution occurs with server-level privileges.

Share

CVE-2026-27130 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy