CVE-2026-45630 CRITICAL

CVE-2026-45630: Dokploy: Authenticated Remote Code Execution via Command Injection in updateTraefikConfig Echo Statement

Vendor Dokploy
Product dokploy
Weakness CWE-78
Published May 29, 2026
Last update June 1, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

What the vulnerability does

01Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
June 1, 2026 Record updated