External risk intelligence

Dokploy Path Traversal Leading to Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-45661

A vulnerability in Dokploy allows authenticated users to write arbitrary files to remote servers, leading to code execution and potential server compromise. This impacts organizations by risking data exfiltration and persistent backdoor installations. The business risk involves unauthorized access and operational disru

4Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45661

Dokploy is a self-hostable Platform as a Service (PaaS) designed for application deployment and remote server management. Such platforms typically function as centralized web-based management consoles or edge gateways intended to be reachable over the network to manage various downstream environments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Dokploy, a self-hostable Platform as a Service, contains a critical vulnerability that permits authenticated users to write arbitrary files to a server's filesystem. This flaw can be leveraged to achieve remote code execution and bypass container isolation, potentially leading to complete server compromise. The vulnerability allows for data exfiltration and the installation of persistent backdoors without direct user intervention.

  • Vulnerable to file writing during deployment.
  • Allows arbitrary file write to remote servers.
  • Potential for server compromise and data exfiltration.

Attack Path

How an attacker could exploit the issue

This vulnerability allows authenticated users to write arbitrary files to remote server file systems during application deployment. This can lead to remote code execution through cron jobs, enabling complete server compromise, data exfiltration, and persistent backdoor installation. The attack bypasses container isolation on remote deployments.

  • Exposure: Network accessible management console.
  • Attacker: Authenticated user.
  • Trigger: Application deployment with malicious file write.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in Dokploy could allow authenticated users to gain full control over remote servers during application deployment. This could lead to the compromise of sensitive data and the installation of persistent backdoors. The vulnerability bypasses container isolation, enabling extensive damage.

  • Attackers with authenticated user access.
  • Remote server deployment feature must be enabled.
  • Complete server compromise and data exfiltration.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows authenticated users to write arbitrary files to a server's filesystem during application deployment, potentially leading to remote code execution and complete server compromise. The impact includes unauthorized access to systems, data exfiltration, and persistent backdoor installation, bypassing container isolation on remote deployments. This presents a significant risk to organizational data and operational continuity.

  • Find Dokploy instances that are externally facing.
  • Restrict access to Dokploy instances.
  • Apply vendor fix and validate.
  • Monitor for related issues.

Frequently asked questions

What is Dokploy and how does it function?

Dokploy is a free, self-hostable Platform as a Service (PaaS) used for deploying and managing applications. It acts as a central system for overseeing multiple downstream environments accessible over a network.

What is the weakness class of CVE-2026-45661?

CVE-2026-45661 is characterized by weaknesses categorized as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory or 'Path Traversal') and CWE-35 (Improper Restriction of Operation within the Bounds of a File).

How can CVE-2026-45661 be exploited, and what is the scope?

Authenticated users can exploit this by writing arbitrary files to the filesystem during application deployment. This can lead to remote code execution on remote servers, bypassing container isolation.

What is the relevance of CVE-2026-45661 for organizations?

The Halo Surface Signal indicates a 'Likely' threat, as Dokploy is a network-accessible management console for application deployment, making it a potential target for authenticated users seeking to compromise remote servers.

What practical steps can be taken to address this vulnerability?

Organizations should identify external-facing Dokploy instances, restrict access, apply vendor fixes, and monitor for related security issues to mitigate the risk of compromise, data exfiltration, and backdoor installation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified