CVE-2026-45630: Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.
HarborGuard Analysis
HarborGuard analysisSynopsis
An authenticated OS command injection in Dokploy's `application.updateTraefikConfig` tRPC endpoint lets admin or owner users inject arbitrary shell commands through an unsanitized `echo` interpolation. The endpoint is reached over the network and requires a high-privilege account, but no victim interaction. Successful exploitation runs attacker-chosen commands on the remote server hosting Dokploy, yielding full code execution, file tampering, and service disruption. No fix version has been published yet; HarborGuard tracks the advisory for patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and pipelines. Coverage includes custom-built images that embed Dokploy 0.28.8 or earlier as a base or component.
AvailableTriage scoring is available using the published CVSS 9.0 critical rating, then weighted by each customer's compliance policy (for example, whether Dokploy instances are internet-exposed or restricted to admin networks). Findings are routed to the appropriate inbox inside each customer org so the right team sees the critical-severity ticket.
AvailableNo upstream fix is available yet, so a patched-image rebuild cannot be produced. HarborGuard re-checks the advisory on each ingest cycle and will make a rebuilt image at the fixed version available the moment the upstream patch is published, with auto-remediation customers receiving a regression run and a PR opened against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Dokploy tRPC endpoint over the network.
- AuthenticationRequired
An admin or owner account on the Dokploy instance is required to call the vulnerable endpoint.
- Victim interactionNot required
Exploitation is driven entirely by the attacker's API call; no user has to click or approve anything.
- Attack complexityDetail
Attack complexity is low: the injection is a reliable shell interpolation with no race or environmental preconditions.
Blast Radius
- Executes arbitrary OS commands on the server hosting Dokploy under the service account running the platform.
- Reads any files and secrets accessible to the Dokploy process, including deployment credentials and Traefik configuration.
- Modifies system state and persisted configuration, allowing backdoors or tampering with managed applications.
- Can disrupt Dokploy-managed services and the Traefik proxy, causing partial availability loss.
How HarborGuard Handles This
Available on HarborGuard: continuous matching of Dokploy 0.28.8 and earlier across customer registries and build pipelines, with critical-severity tickets routed per each org's compliance policy. While no upstream fix exists, suggested compensating controls include restricting the Dokploy admin UI to a management network or VPN, tightening who holds admin/owner roles, and adding egress filtering on the Dokploy host to limit post-exploitation reach. HarborGuard re-checks the advisory each ingest cycle and, the moment a fixed Dokploy release ships, a patched-image rebuild becomes available automatically; environments with auto-remediation enabled then get a regression run and a PR opened against affected workloads.
Metrics
- CVSS v3.1
- 9.0
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
- Dokploy / dokploy<= 0.28.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L