External risk intelligence

Dokploy lets attackers take full control of your server.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-27130

Dokploy's command injection flaw lets authenticated users take over your server. Update to 0.26.7 now to prevent serious data compromise and unauthorized access.

3Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-27130

The vulnerability exists within the management interface of a self-hosted Platform as a Service (PaaS). While such dashboards are sometimes exposed to the internet for remote access, they are frequently deployed in restricted, internal, or VPN-only environments, making public internet exposure possible but not a standard or required deployment pattern for the product.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An issue in Dokploy allows an authenticated user to inject commands on the server. This happens because user-provided application names are not properly checked before being used in system commands. It's critical to address this as it could let an attacker gain full control of the server.

  • Execute arbitrary commands.
  • Affects servers running Dokploy.
  • Allows for significant data compromise.

Attack Path

How an attacker could exploit the issue

An authenticated attacker can exploit this vulnerability by injecting shell metacharacters into the `appName` field when creating a new application in Dokploy. This malicious input bypasses insufficient sanitization and is directly executed with server-level privileges when users perform standard service operations.

  • Requires authenticated access.
  • Targets application creation.
  • Exploits `appName` parameter.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Dokploy allows authenticated attackers to execute arbitrary OS commands with server-level privileges through the `appName` parameter. The chaining of inadequate input sanitization, lack of schema validation, and direct shell interpolation creates a critical path for exploitation. While the vulnerability is critical, its exploitation likelihood depends on whether the Dokploy instance is exposed externally.

  • Exploitable with authenticated user.
  • Critical OS command injection.
  • Patch released; older versions vulnerable.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize patching or upgrading Dokploy to version 0.26.7 immediately, as this critical vulnerability allows authenticated attackers to execute arbitrary OS commands with server-level privileges. If immediate patching is not feasible, isolating affected services from the network and disabling their functionality is crucial to prevent exploitation.

  • Upgrade Dokploy to 0.26.7.
  • Isolate or disable affected services.
  • Monitor for signs of command injection.

Frequently asked questions

What is Dokploy and what is it used for?

Dokploy is a free, self-hostable Platform as a Service (PaaS) that allows users to manage and deploy applications. It provides a way to run your own cloud-like environment for hosting and managing services.

What is the weakness in CVE-2026-27130, and how does it work?

CVE-2026-27130 is an OS command injection vulnerability. It occurs because Dokploy doesn't properly sanitize application names entered by users before using them in server commands, allowing attackers to insert malicious commands.

How can an attacker exploit this Dokploy vulnerability?

An authenticated attacker can inject special characters into the application name field when creating an application. These injected commands can then be executed by the server when certain service operations, like starting or stopping an application, are performed.

Who should be concerned about this Dokploy vulnerability?

Anyone running Dokploy versions prior to 0.26.7 should be concerned. The Halo Surface Signal indicates a 'Possible' exposure risk, meaning while the vulnerability is critical, its actual reach depends on whether the Dokploy instance is accessible from the internet or only internal networks.

What is the first step to respond to this Dokploy threat?

The most important first step is to upgrade Dokploy to version 0.26.7 or later. If an immediate upgrade isn't possible, isolating the Dokploy service from the network can help prevent exploitation until a patch can be applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified