Executive Summary
A critical OS command injection vulnerability (CVE-2026-27130) has been identified in Dokploy, a free, self-hostable Platform-as-a-Service (PaaS). Versions 0.26.6 and below are vulnerable. Attackers can inject arbitrary shell commands through the appName parameter due to three chained security weaknesses, achieving remote code execution (RCE) on the hosting server — potentially with root privileges in containerised deployment scenarios.
CVSS Score: 9.9 (Critical) CWE: CWE-78 — Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
Dokploy is commonly self-hosted by developers, small teams, and infrastructure operators as an open-source alternative to Heroku and Railway. Deployments often have privileged access to the underlying host, making this vulnerability especially severe.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-27130 |
| CVSS Score | 9.9 (Critical) |
| CWE | CWE-78 — OS Command Injection |
| Type | Remote Code Execution (unauthenticated) |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Fixed Version | Dokploy 0.26.7+ |
Affected Products
| Product | Vulnerable Versions | Patched Version |
|---|---|---|
| Dokploy (self-hosted PaaS) | 0.26.6 and all prior versions | 0.26.7 and above |
Technical Analysis
Three Chained Weaknesses
The vulnerability arises from three individual security failures that chain together to produce a critical-severity command injection:
1. Inadequate Input Sanitization
The appName parameter accepted by Dokploy's application management endpoints is not stripped of shell metacharacters. Characters including semicolons (;), pipes (|), backticks, and command substitution sequences pass through the input layer unmodified.
2. Lack of Schema Validation
No schema-level validation enforces character constraints on the appName field. A proper allowlist validation (e.g., alphanumeric plus hyphens/underscores only) would reject malicious input before it reaches any execution path.
3. Direct Shell Interpolation
The appName value is interpolated directly into shell commands. Rather than using safe subprocess APIs with argument arrays (which bypass shell interpretation entirely), the application constructs shell command strings that include user-controlled data.
Attack Vector
An attacker sends a crafted request to a Dokploy API endpoint that accepts an appName parameter:
POST /api/application/create
{
"appName": "myapp; malicious-command-here",
...
}
The injected payload is executed by the shell with Dokploy's process privileges. Given that Dokploy manages Docker containers and deployment pipelines, it typically runs with elevated privileges — in many installations, this translates to root-equivalent access on the host.
Why CVSS 9.9?
The near-perfect CVSS score reflects:
- No authentication required in the vulnerable code path
- No user interaction needed
- Network-accessible attack surface
- High impact on confidentiality, integrity, and availability
- Potential for privilege escalation to host OS via Docker socket access
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Server Compromise | Arbitrary command execution with Dokploy process privileges |
| Container Escape Risk | Docker socket access may enable host OS compromise |
| All Hosted Applications | Every application managed by the Dokploy instance is at risk |
| Data Exfiltration | Access to environment variables, database credentials, secrets |
| Persistent Backdoor | Attackers can establish persistence via cron, SSH keys, or container images |
Immediate Remediation
Step 1: Upgrade Dokploy
Update to Dokploy 0.26.7 or later immediately:
# Check current Dokploy version
dokploy --version
# or check package.json / docker image tag
# Update via the official update command (if using Dokploy's built-in updater)
curl -sSL https://dokploy.com/install.sh | sh
# If running via Docker Compose, pull the latest image
docker pull dokploy/dokploy:latest
docker compose up -dStep 2: Restrict Network Access
If an immediate upgrade is not possible, restrict access to the Dokploy management interface:
# Restrict Dokploy API to trusted IPs only via firewall
ufw allow from 10.0.0.0/8 to any port 3000
ufw deny 3000
# Or configure Nginx/Traefik to require authentication before proxying to DokployStep 3: Audit Existing Applications and Secrets
Assume compromise if running a vulnerable version that was network-accessible:
# Review recent command history on the host
cat /root/.bash_history
cat /home/*/.bash_history
# Check for new SSH authorized keys
cat /root/.ssh/authorized_keys
# Review recently modified files
find / -newer /tmp/check -type f 2>/dev/null | grep -v proc | head -50
# Check for new cron jobs
crontab -l
ls -la /etc/cron*Step 4: Rotate All Secrets
Rotate all secrets stored in or accessible from the Dokploy environment:
- All environment variables configured in Dokploy applications
- Docker registry credentials
- SSH keys used for deployment
- Any cloud provider API tokens
- Database passwords for hosted applications
Detection Indicators
| Indicator | Description |
|---|---|
| Unexpected processes spawned by Dokploy | Processes that are not Docker or Node.js in origin |
| New SSH keys added | Entries in /root/.ssh/authorized_keys not added by administrators |
| Unusual outbound connections | DNS, HTTP, or TCP connections to unknown external hosts |
| New cron jobs or systemd timers | Persistence mechanisms installed by attacker |
| Modified container images | Base images or entrypoints altered from expected values |
Post-Remediation Checklist
- Upgrade Dokploy to 0.26.7 or later
- Rotate all secrets and credentials accessible from the Dokploy environment
- Audit server logs and process history for signs of prior exploitation
- Restrict Dokploy management interface to trusted network segments
- Review Docker socket exposure and apply least-privilege controls
- Enable rate limiting and authentication on all Dokploy API endpoints
- Document the incident and remediation in your change management system