VYPR
← All advisories
Critical severity9.0NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45630

CVE-2026-45630

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated OS command injection in Dokploy's updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary commands on remote servers.

Vulnerability

In Dokploy versions 0.28.8 and earlier, the application.updateTraefikConfig tRPC endpoint accepts a traefikConfig input as a plain z.string() with no regex or character restrictions [1]. This value flows to the writeConfigRemote() function in packages/server/src/utils/traefik/application.ts, which interpolates it into a shell echo command wrapped in single quotes: echo '${traefikConfig}' > ${configPath} [1]. The affected code paths are in apps/dokploy/server/api/routers/application.ts (lines 851-873) and the utility function (lines 213-222) [1]. The endpoint is accessible only to admin or owner users.

Exploitation

An attacker with an admin or owner account on the target Dokploy instance and an application deployed on a server with an SSH key configured can exploit this vulnerability [1]. By sending a crafted tRPC mutation to application.updateTraefikConfig with a traefikConfig value containing a single quote ('), the attacker breaks out of the shell quoting context and injects arbitrary shell commands [1]. The advisory provides a concrete curl example that demonstrates the injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary OS commands on the remote server where the application is deployed [1]. This results in full compromise of that server, including potential data exfiltration, lateral movement within the infrastructure, and further privilege escalation depending on the SSH user's permissions [1].

Mitigation

As of the advisory publication date (2026-05-29), no patched version of Dokploy has been released [1]. Users should restrict admin and owner account access to trusted personnel only and monitor the project repository for a security update [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at the time of writing.

References
  1. Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Dokploy/Dokployinferred2 versions
    <=0.28.8+ 1 more
    • (no CPE)range: <=0.28.8
    • (no CPE)range: <=0.28.8

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization in the `traefikConfig` parameter allows shell command injection via single-quote breakout in an `echo` command executed over SSH."

Attack vector

An attacker with an admin or owner account sends a crafted tRPC mutation to `application.updateTraefikConfig` containing a single quote (`'`) in the `traefikConfig` field, breaking out of the single-quote context in the shell `echo` command. This allows arbitrary OS commands to be injected and executed on the remote server via SSH. The payload is unsanitized because the input is validated only as `z.string()` with no regex or character restrictions. [CWE-78] [ref_id=1]

Affected code

The vulnerability resides in `apps/dokploy/server/api/routers/application.ts` (lines 851–873), where the tRPC route `updateTraefikConfig` accepts `traefikConfig` as a plain `z.string()` with no sanitization, and in `packages/server/src/utils/traefik/application.ts` (lines 213–222), where `writeConfigRemote()` interpolates that value into a shell `echo` command wrapped in single quotes. [ref_id=1]

What the fix does

The advisory does not include a patch diff, but the recommended fix is to sanitize the `traefikConfig` input by rejecting single quotes or using parameterized commands instead of shell interpolation. The root cause is the same class of vulnerability as previously reported in GitHub Issue #481, which was fixed in the registry password flow but not in the Traefik configuration path. [ref_id=1]

Preconditions

  • authAttacker must have an admin or owner account on the Dokploy instance
  • configAn application must be deployed on a server with an SSH key configured
  • networkNetwork access to the Dokploy API endpoint
  • inputThe traefikConfig input must contain a single quote to break shell quoting

Reproduction

Send the following tRPC mutation with a crafted `traefikConfig` containing a single quote: ``` curl -X POST 'https://<dokploy_host>/api/trpc/application.updateTraefikConfig' \ -H 'Cookie: <session_cookie>' \ -H 'Content-Type: application/json' \ -d '{ "applicationId": "<target_application_id>", "traefikConfig": "'\''; id; echo '\'' " }' ``` Or as a JSON payload: ```json { "applicationId": "<target_application_id>", "traefikConfig": "'; id; echo '" } ``` [ref_id=1]

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.