CVE-2026-45662: Dokploy: Command Injection via incomplete shell escaping in docker logout (registry deletion)
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.
HarborGuard Analysis
HarborGuard analysisSynopsis
This is a command injection vulnerability in Dokploy, a self-hosted PaaS, where the deleteRegistry function in packages/server/src/services/registry.ts passes registryUrl directly into a docker logout shell invocation without escaping. An authenticated user reachable over the network can craft a malicious registryUrl that breaks out of the command and runs arbitrary shell commands on the Dokploy host when the registry is deleted, leading to full code execution, data tampering, and service disruption. No upstream fix is published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as one ships.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE record is ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and CI pipelines, including custom-built images that bundle affected versions of dokploy at or below 0.29.0.
AvailableTriage is available with the published CVSS v3.1 score of 8.8 (High) factored against each customer's compliance policy weighting, so the finding is routed to the appropriate inbox inside each customer org rather than dumped into a generic queue.
AvailableNo upstream fix version has been published. HarborGuard re-checks the advisory on each ingest cycle and will make a patched-image rebuild available the moment a fixed dokploy release lands; for customers who opt into auto-remediation, that rebuild triggers a regression-test run and an automatic PR against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Dokploy management API over the network (AV:N).
- AuthenticationRequired
A low-privilege Dokploy account capable of invoking the registry deletion flow is sufficient (PR:L).
- Victim interactionNot required
No victim interaction is needed; the attacker triggers the vulnerable code path directly (UI:N).
- Attack complexityDetail
AC:L indicates the exploit is reliable and free of environmental preconditions once the registryUrl is submitted.
Blast Radius
- Executes arbitrary shell commands as the Dokploy server process on the host running the PaaS.
- Reads any secrets, registry credentials, deployment configs, and tenant data accessible to that process.
- Modifies or deletes registry entries, deployment definitions, and any files writable by the Dokploy user.
- Disrupts hosted applications by killing containers, tampering with deploys, or crashing the Dokploy control plane.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the Dokploy advisory with re-check on every ingest cycle, so the patched-image rebuild becomes available automatically once an upstream fix is published. In the meantime, compensating controls are surfaced in the finding, including restricting which accounts can create or delete registries, network-policy isolation of the Dokploy control plane from untrusted networks, and egress filtering from the Dokploy host to limit post-exploitation reach. For environments with auto-remediation enabled, the rebuild and PR against affected workloads will be generated the moment a fixed dokploy release lands.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- Dokploy / dokploy<= 0.29.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H