Skip to main content

Dokploy EUVDEUVD-2026-33353

| CVE-2026-45633 CRITICAL
OS Command Injection (CWE-78)
2026-05-29 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 29, 2026 - 17:52 vuln.today
CVE Published
May 29, 2026 - 16:10 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.

AnalysisAI

Authenticated command injection in Dokploy 0.26.6 and earlier enables any logged-in user to run arbitrary OS commands as root via the /docker-container-logs WebSocket endpoint. The tail and since parameters are concatenated into shell commands without validation, yielding a CVSS 9.9 (Scope:Changed) issue affecting this self-hosted PaaS. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Technical ContextAI

Dokploy is an open-source, self-hostable Platform-as-a-Service that orchestrates Docker containers, comparable to Heroku/Vercel-style deployments. The flaw is a classic CWE-78 (OS Command Injection): user-controlled parameters (tail, since - typically numeric arguments forwarded to docker logs --tail=N --since=T) are interpolated directly into a shell string rather than passed as argv elements or sanitized against an allow-list. Because the Dokploy server process manages Docker on the host, the resulting command runs in the privilege context of the daemon, which per the advisory equates to root. Exposure surface is a WebSocket endpoint (/docker-container-logs), meaning exploitation rides on the same upgraded HTTP session used by the dashboard. The single CPE - cpe:2.3:a:dokploy:dokploy:*:*:*:*:*:*:*:* - confirms all versions through 0.26.6 are in scope.

RemediationAI

Upgrade to the fixed Dokploy release identified in GHSA-wmqj-wr9q-327p (https://github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327p); the input data does not include the exact fix version, so confirm the patched version directly from the advisory before deploying. Until upgraded, restrict network reachability of the Dokploy UI/API to trusted operators only (VPN, IP allow-list, or reverse-proxy auth in front of the dashboard) - this blocks the network attack vector but breaks remote team access. Additionally, audit and reduce the number of accounts that can authenticate to the Dokploy instance, since the vulnerability requires only a low-privilege session; revoke shared or stale credentials, with the trade-off of operational friction for legitimate collaborators. As a partial mitigation, block or proxy-filter WebSocket upgrade requests to /docker-container-logs at an upstream reverse proxy, accepting the side effect that the in-app container log viewer will stop working for all users.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-33353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy