HIGH 8.8

CVE-2026-45662: Dokploy Command Injection in Registry Deletion (CVSS 8.8)

Dokploy, a self-hosted platform-as-a-service tool, contains a command injection vulnerability in its registry deletion function. When an administrator deletes a Docker registry configuration, the application fails to properly sanitize the registry URL before passing it to a system command. An attacker with legitimate platform access could craft a malicious registry URL that executes arbitrary commands on the server with the privileges of the Dokploy process. This vulnerability affects Dokploy version 0.29.0 and earlier.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.29.0 and earlier, the deleteRegistry function in Dokploy (packages/server/src/services/registry.ts) executes docker logout ${response.registryUrl} without shell escaping. In the same file, the docker login command correctly uses shEscape() to prevent command injection. This inconsistency creates a command injection vulnerability when deleting a registry with a crafted registryUrl.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the deleteRegistry function within packages/server/src/services/registry.ts. The function constructs and executes a docker logout command using an unsanitized registryUrl parameter: docker logout ${response.registryUrl}. The same codebase correctly applies shEscape() to the docker login command, demonstrating that the developers were aware of the command injection risk but failed to apply the same protection consistently to the logout operation. This inconsistency allows shell metacharacters and command separators in the registryUrl to break out of the intended command context and execute arbitrary system commands. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command).

Business impact

Successful exploitation requires an authenticated user with registry management permissions, limiting the attack surface to insider threats or compromised admin accounts. However, the impact is severe: an attacker could gain arbitrary code execution on the Dokploy host with full system access. This could lead to deployment of malicious container images, exfiltration of sensitive data including credentials stored within Dokploy, lateral movement to other infrastructure, or complete compromise of hosted applications. Organizations running Dokploy as a critical deployment platform face significant operational and security risk until patching is complete.

Affected systems

Dokploy versions 0.29.0 and earlier are affected. The vulnerability is present in the server-side registry management code, so any deployment of these versions where administrators or users with registry deletion privileges exist is at risk. Self-hosted Dokploy instances are the primary concern; exposure is limited to users with platform access and registry management capabilities.

Exploitability

Exploitation requires authenticated access to Dokploy with sufficient permissions to delete a registry—a moderately restrictive precondition. However, the actual exploitation itself is straightforward: an attacker need only provide a crafted URL when deleting a registry. No advanced techniques, TOCTOU conditions, or race conditions are required. The attack vector is network-based, and the complexity is low once access is obtained. The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of high impact and the relatively low barrier to exploitation for an authenticated user.

Remediation

Upgrade Dokploy to a patched version that applies proper shell escaping to the registryUrl parameter in the deleteRegistry function, consistent with how the docker login command is already handled. Verify the patch version in the official Dokploy release notes. Until patching is possible, restrict registry deletion permissions to a minimal set of trusted administrators and monitor command execution logs on the Dokploy host for suspicious activity during registry management operations.

Patch guidance

Monitor the Dokploy project repository and release notes for a patched version addressing this vulnerability. When available, update to the first version after 0.29.0 that includes the fix. Apply the patch during a maintenance window and verify that registry operations continue to function correctly post-update. Test with non-production registries first if possible.

Detection guidance

Monitor system audit logs and container runtime logs on Dokploy hosts for unexpected command execution originating from the Dokploy process during registry deletion operations. Look for shell metacharacters (backticks, $(), semicolons, pipes) in registry URLs stored in Dokploy configuration or logs. Check for any docker logout commands followed by unauthorized process execution. If available, enable application-level logging within Dokploy to capture registry operation parameters.

Why prioritize this

Although exploitation requires authentication, the high impact (complete system compromise), low attack complexity, and the presence of a clear, fixable coding error make this a high-priority patch. Organizations should prioritize this update within their standard patch cycle, particularly if Dokploy instances are used to manage production deployments or handle sensitive credentials.

Risk score, explained

The CVSS 3.1 score of 8.8 reflects: network-based attack vector (AV:N), low attack complexity (AC:L), requirement for low privileges (PR:L), no user interaction needed (UI:N), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The score appropriately captures the severity of arbitrary code execution on the Dokploy server, tempered slightly by the authentication requirement.

Frequently asked questions

Does this vulnerability affect my Dokploy instance?

Yes, if you are running Dokploy version 0.29.0 or earlier. Check your deployed version in the Dokploy admin interface or environment configuration. The vulnerability only impacts instances where users have permissions to delete or modify registry configurations.

Can an unauthenticated attacker exploit this?

No. The vulnerability requires an authenticated user with registry management permissions. This limits the attack surface to administrators, developers with registry access, or compromised accounts with those privileges. However, insider threats or account compromise are realistic concerns in some environments.

What should I do immediately?

First, identify your current Dokploy version and plan an upgrade to a patched release. In parallel, audit your registry configurations for suspicious URLs and review access logs for any unauthorized registry deletion attempts. Restrict registry deletion permissions to only essential users if possible.

Are there workarounds if I cannot patch immediately?

While not a substitute for patching, you can reduce risk by strictly limiting who can delete registries, disabling registry deletion functionality if not required, and closely monitoring Dokploy process execution for signs of command injection attempts.

This analysis is based on publicly disclosed vulnerability information and the CVSS 3.1 scoring provided. Actual exploitation impact may vary depending on deployment configuration, access controls, and environment-specific factors. Organizations should verify patch availability with the official Dokploy project before applying updates. This vulnerability intelligence is provided for informational purposes to support security decision-making and does not constitute professional security advice or a guarantee of specific outcomes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).