Command Injection Vulnerability in Dokploy by Dokploy Inc.
CVE-2026-45662

8.8HIGH

Key Information:

Vendor: Dokploy
Status: Dokploy
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-45662?

Dokploy, a self-hostable Platform as a Service (PaaS), contains a command injection vulnerability in versions 0.29.0 and earlier. The issue arises from an inconsistency in the 'deleteRegistry' function, where the command 'docker logout ${response.registryUrl}' is executed without proper shell escaping. Unlike the 'docker login' command, which correctly implements shEscape() to mitigate command injection risks, this oversight allows attackers to execute arbitrary commands by crafting a malicious 'registryUrl'. Users are advised to review the security advisory for further details and remediation steps.

Affected Version(s)

dokploy <= 0.29.0

References

https://github.com/Dokploy/dokploy/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45662 Data

JSON