CVE-2026-45633 CRITICAL

CVE-2026-45633: Dokploy: Command Injection in /docker-container-logs Endpoint

Vendor Dokploy
Product dokploy
Weakness CWE-78
Published May 29, 2026
Last update May 29, 2026

CVSS base score

9.9/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.6 and earlier, Dokploy contains a command injection vulnerability in the /docker-container-logs WebSocket endpoint. The tail and since parameters are not validated and are directly concatenated into shell commands, allowing authenticated users to execute arbitrary commands with root privileges.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
May 29, 2026 Record updated