HarborGuard / CVE
Back to search
CRITICALCVE-2026-45629Published Modified CNA GitHub_M

CVE-2026-45629: Dokploy: Authenticated Remote Code Execution via Command Injection in /listen-deployment WebSocket Endpoint

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the /listen-deployment WebSocket endpoint allows any organization member to execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authenticated OS command injection in Dokploy's /listen-deployment WebSocket endpoint affects versions 0.28.8 and earlier. Any logged-in organization member can reach the endpoint over the network and inject shell commands that execute on remote servers managed by Dokploy, resulting in full server takeover. No upstream fix is published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as one is available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment, with the CVE ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle Dokploy 0.28.8 or earlier.

Available
Triage

Triage is available with the published CVSS 3.1 score of 9.9 (Critical) carried through and reweighted against each customer's compliance policy. Findings are routed to the security or platform inbox configured inside each customer organization.

Available
Patch

No fix version is published upstream, so a patched-image rebuild cannot yet be made available. HarborGuard re-checks the advisory each ingest cycle and will publish a rebuilt image, run regression tests, and open PRs for auto-remediation customers as soon as the Dokploy maintainers ship a fixed release.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Dokploy /listen-deployment WebSocket endpoint over the network.

  • AuthenticationRequired

    Any low-privilege organization member account is sufficient; no admin role is needed.

  • Victim interactionNot required

    Exploitation is driven entirely by the attacker's WebSocket traffic with no user action.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and free of environmental preconditions.

Blast Radius

  • Executes arbitrary OS commands on every remote server managed by the Dokploy instance, yielding full host compromise.
  • Reads any secrets, deployment configs, and application data stored on those managed servers.
  • Modifies or replaces deployed workloads, container definitions, and persisted state across the managed fleet.
  • Can disrupt hosted services by killing processes, exhausting resources, or tampering with deployment pipelines.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Dokploy advisory with daily re-checks for an upstream fix, plus matching of affected versions (<= 0.28.8) against images in customer registries and build pipelines. Until a patched release ships, compensating-control suggestions are surfaced in-product, including restricting network exposure of the Dokploy control plane to trusted networks or VPN, tightening organization membership and invite policies so the authenticated attack surface is minimal, and adding egress filtering on managed servers to limit post-exploitation reach. The moment Dokploy publishes a fixed version, a rebuilt image becomes available on HarborGuard and, for environments with auto-remediation enabled and where compliance policy permits, a regression-tested PR is opened against affected workloads.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Dokploy / dokploy
    <= 0.28.8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
References