CVE-2026-45628: Dokploy: Command Injection via Unescaped Branch Fields in Deployment Pipeline
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via child_process.exec() (which runs through /bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly into these commands without escaping. This requires an authenticated user with application create/edit privileges.
HarborGuard Analysis
HarborGuard analysisSynopsis
Command injection in Dokploy, a self-hostable PaaS, lets an authenticated user with application create/edit privileges run arbitrary shell commands on the host. Dokploy builds shell commands with JavaScript template literals and runs them through child_process.exec() (which invokes /bin/sh -c), interpolating user-supplied branch names, repository URLs, and Docker credentials without escaping. Successful exploitation gives the attacker full read and write access to anything the Dokploy process can reach, including secrets, source, and deployed workloads. No fix has been published; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and CI pipelines, including custom-built images that embed Dokploy 0.29.2 or earlier.
AvailableTriage is available with the published CVSS v3.1 score of 9.6 (Critical), weighted against each customer org's compliance policy (Dokploy instances exposed to untrusted users typically escalate further) and routed to the appropriate inbox inside that org.
AvailableNo upstream fix is published yet. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Dokploy ships a fixed release; auto-remediation customers will then get a rebuild, a regression run, and a PR opened against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Dokploy web interface over the network.
- AuthenticationRequired
A valid Dokploy account with application create or edit privileges is required.
- Victim interactionNot required
No victim action is needed; the attacker triggers the deployment themselves.
- Attack complexityDetail
Attack complexity is low: injecting shell metacharacters into a branch name, repository URL, or Docker credential field works reliably.
Blast Radius
- Executes arbitrary shell commands as the Dokploy process user on the host.
- Reads any file the Dokploy process can access, including deployment secrets, Docker credentials, and source repositories.
- Modifies deployment configuration, container images, and pipeline state across applications managed by the instance.
- Pivots into deployed workloads and connected registries using the credentials Dokploy stores.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the GitHub advisory for a fixed Dokploy release, with the patched-image rebuild going live the moment upstream publishes. In the meantime, compensating controls available to customers include restricting application create/edit privileges to a minimal trusted set, putting the Dokploy admin UI behind a VPN or SSO-gated ingress, applying network policies that block Dokploy from reaching unintended internal services, and feature-flag gating any self-service deployment flows that expose branch or repository fields to less trusted users. For environments with auto-remediation enabled, the rebuild, regression run, and patch PR will be issued automatically once a fixed version ships.
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
- Dokploy / dokploy<= 0.29.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N