How is CVE-2026-45661 exploited?

Network reachability (required): The attacker must reach the Dokploy web interface over the network (AV:N). Authentication (required): Any low-privilege authenticated Dokploy account is sufficient (PR:L). Victim interaction (not-required): No administrator or user action is needed; exploitation runs entirely from the attacker's session (UI:N). Attack complexity (info): The exploit is reliable and condition-free, with no race or environmental prerequisites (AC:L).

What is the impact of CVE-2026-45661?

Writes arbitrary files to the Dokploy host filesystem and, via the remote deployment feature, to connected remote servers. Achieves remote code execution by dropping cron job files that the scheduler executes automatically. Reads and exfiltrates application data, secrets, and credentials reachable from the compromised host. Installs persistent backdoors that survive redeploys and bypass container isolation on remote targets.

Back to search

CRITICALCVE-2026-45661Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45661: Dokploy: Remote Code Execution through Path Traversal

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.5 and earlier, a critical path traversal vulnerability exists in Dokploy v0.26.5 that allows authenticated users to write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this vulnerability enables arbitrary file write to remote server filesystems, automatic remote code execution via cron jobs, complete server compromise, data exfiltration without user interaction, and persistent backdoor installation. This vulnerability bypasses all container isolation on remote server deployments.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A path traversal flaw in Dokploy (a self-hostable PaaS) lets any authenticated user write arbitrary files to the host filesystem during application deployment. The bug is reachable over the network and only requires a low-privilege account, with no victim interaction. When combined with Dokploy's remote server deployment feature, writes land on remote hosts and lead to remote code execution via cron jobs, full server compromise, and persistent backdoors that bypass container isolation. No upstream fix is published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as the maintainers ship one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and CI pipelines, including custom-built images derived from the affected versions.

Available

Triage

Triage is available with the published CVSS 9.9 critical score applied and reweighted against each customer org's compliance policy, then routed into the appropriate inbox or ticket queue inside that environment.

Available

Patch

No fix version has been published upstream, so a patched-image rebuild cannot yet be produced. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available the moment the maintainers publish a fixed Dokploy release, with auto-remediation customers receiving rebuild, regression run, and PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Dokploy web interface over the network (AV:N).
AuthenticationRequired
Any low-privilege authenticated Dokploy account is sufficient (PR:L).
Victim interactionNot required
No administrator or user action is needed; exploitation runs entirely from the attacker's session (UI:N).
Attack complexityDetail
The exploit is reliable and condition-free, with no race or environmental prerequisites (AC:L).

Blast Radius

Writes arbitrary files to the Dokploy host filesystem and, via the remote deployment feature, to connected remote servers.
Achieves remote code execution by dropping cron job files that the scheduler executes automatically.
Reads and exfiltrates application data, secrets, and credentials reachable from the compromised host.
Installs persistent backdoors that survive redeploys and bypass container isolation on remote targets.

How HarborGuard Handles This

Available on HarborGuard: continuous tracking of the upstream advisory and detection of any Dokploy image at version 0.26.5 or earlier in customer registries and pipelines, with critical-severity routing into each org's triage queue. Until the maintainers publish a fix, compensating controls are recommended: restrict who can authenticate to Dokploy, isolate the Dokploy control plane with network policy, disable or tightly scope the remote server deployment feature, and add egress filtering on hosts Dokploy can reach. The moment an upstream patched release is published, a rebuilt image becomes available on HarborGuard, and environments with auto-remediation enabled get an automatic rebuild, regression run, and PR opened against affected workloads.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Dokploy / dokploy
<= 0.26.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/Dokploy/dokploy/security/advisories/GHSA-66v7-g3fh-47h3