CVE-2026-45633: Dokploy: Command Injection in /docker-container-logs Endpoint
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.
HarborGuard Analysis
HarborGuard analysisSynopsis
Dokploy, a self-hostable Platform as a Service, contains a command injection flaw in its /docker-container-logs WebSocket endpoint where the tail and since parameters are concatenated into shell commands without validation. The endpoint is reachable over the network and requires only an authenticated low-privilege account, after which an attacker can execute arbitrary commands as root on the host. No fix version has been published; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix ships.
HarborGuard Coverage
Detection for CVE-2026-45633 is available across every HarborGuard environment, with the advisory ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and CI pipelines. Coverage extends to custom-built images that bundle or derive from Dokploy 0.26.6 or earlier.
AvailableTriage is available with the CVSS 3.1 base score of 9.9 (Critical) applied, then weighted against each customer's compliance policy (for example, internet-exposed PaaS control planes are typically escalated further). Findings are routed to the security inbox configured for the owning team inside each customer org.
AvailableNo upstream fix has been published for Dokploy at this time. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fixed version ships, with auto-remediation customers automatically receiving a rebuild, regression-test run, and PR opened against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Dokploy /docker-container-logs WebSocket endpoint over the network.
- AuthenticationRequired
Any authenticated Dokploy account is sufficient; no admin role is needed to reach the vulnerable endpoint.
- Victim interactionNot required
Exploitation is driven entirely by the attacker's crafted WebSocket parameters with no user action needed.
- Attack complexityDetail
AC:L indicates the injection is reliable and free of timing or environmental preconditions.
Blast Radius
- Executes arbitrary shell commands as root on the Dokploy host, giving full control of the PaaS control plane.
- Reads any file or secret accessible to root, including deployment credentials, environment variables, and customer application data.
- Modifies or destroys managed containers, deployment configuration, and persisted Dokploy state.
- Can disrupt or take offline every application managed by the affected Dokploy instance.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the Dokploy advisory with automatic re-check each ingest cycle, so a patched-image rebuild becomes available the moment upstream publishes a fix. Until then, compensating-control guidance is surfaced alongside the finding, including restricting network exposure of the Dokploy control plane (network policy or VPN-only access), tightening account provisioning so only trusted operators can authenticate, and adding egress filtering on the Dokploy host to limit post-exploitation reach. For environments with auto-remediation enabled and where compliance policy permits, the rebuild-and-PR flow will trigger automatically once a fixed version ships.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
- Dokploy / dokploy<= 0.26.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H