Skip to main content

Dokploy EUVD-2026-33352

| CVE-2026-45661 CRITICAL
Path Traversal (CWE-22)
2026-05-29 GitHub_M
RCE Path Traversal Dokploy
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 29, 2026 - 17:52 vuln.today

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.

AnalysisAI

Authenticated path traversal in Dokploy v0.26.5 and earlier (CWE-22) enables arbitrary file write during application deployment, escalating to remote code execution when the affected instance uses the remote server deployment feature. With a CVSS 9.9 score reflecting scope change and full CIA impact, any user with deployment privileges can drop cron jobs onto remote hosts to fully compromise them, bypassing container isolation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Dokploy account
Delivery
Initiate application deployment with traversal path
Exploit
Worker writes file outside deploy directory
Execution
Malicious cron entry lands on remote host
Persist
Cron executes attacker code as deploy user
Impact
Install backdoor and exfiltrate data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a valid authenticated Dokploy account that has permission to create or trigger application deployments (consistent with PR:L in the CVSS vector), (2) network reachability to the Dokploy control plane (AV:N), and (3) for the full RCE-on-remote-host chain, the target Dokploy instance must have the remote server deployment feature configured against one or more remote targets - without that feature the impact reduces to arbitrary file write on the Dokploy host itself rather than crossing container isolation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely aligned toward high real-world risk: CVSS 9.9 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H indicates network-reachable, low-complexity exploitation requiring only low-privileged authentication, no user interaction, and a scope change that explains the jump from container context to the host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a low-privileged Dokploy account (for example a contractor with deploy rights on a single project, or a credential leaked through reuse) initiates an application deployment whose build or path metadata contains traversal sequences. The Dokploy worker writes the attacker-controlled file outside the deployment directory on a remote target host - typically into a cron spool path - and cron picks it up on the next interval, granting code execution as the deployment user on the remote server with no further user interaction. …
Remediation Upgrade to a Dokploy release later than 0.26.5 as published in the vendor advisory at https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3; the input data does not include a specific patched version number, so administrators should pull the fix version cited in that GHSA rather than relying on a number invented here (patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable remote server deployment feature or restrict deployment role access to essential personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-33352 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy