A critical command injection vulnerability has been identified in the Dokploy PaaS, affecting versions prior to 0.26.6. This flaw allows an authenticated attacker to execute arbitrary commands on the underlying server, potentially leading to a complete system compromise, data theft, and service disruption. Due to the high severity (CVSS 9.9), immediate patching is required to prevent a full takeover of the host environment.

The vulnerability is a command injection flaw within the /docker-container-terminal WebSocket endpoint. The endpoint accepts containerId and activeWay parameters which are insecurely passed to a shell command on the host server without proper sanitization or validation. An authenticated attacker can manipulate these parameters to inject and execute arbitrary shell commands with the privileges of the Dokploy service, leading to remote code execution (RCE) on the host.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation would result in a complete compromise of the server hosting Dokploy, granting the attacker full control. The potential business impact includes theft or modification of sensitive data, deployment of ransomware, complete disruption of all applications managed by Dokploy, and the ability for an attacker to use the compromised server as a pivot point to attack other systems within the internal network. This represents a total loss of confidentiality, integrity, and availability for the affected system and its hosted services.

Immediate Action: Immediately upgrade all Dokploy instances to version 0.26.6 or later, which contains the fix for this vulnerability. After patching, review system and application logs for any signs of compromise or suspicious activity preceding the update.

Proactive Monitoring:

• Monitor WebSocket connection logs for unusual or malformed requests to the /docker-container-terminal endpoint.
• Implement host-based monitoring to detect anomalous process execution, especially unexpected shell commands spawned by the Dokploy user/service.
• Analyze outbound network traffic from the Dokploy server for connections to unknown or malicious destinations.
• Review Dokploy access logs for unauthorized or suspicious authentication events.

Compensating Controls: If patching cannot be performed immediately, implement the following controls:

• Restrict network access to the Dokploy management interface and API endpoints to trusted IP addresses using a firewall.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious WebSocket payloads targeting command injection.
• Enforce the principle of least privilege for all user accounts with access to Dokploy, and ensure multi-factor authentication is enabled.

Public Exploit Available: true

Given the critical CVSS score of 9.9 and the risk of complete system compromise, it is imperative that organizations treat this vulnerability with the highest priority. The provided remediation to upgrade to version 0.26.6 or later should be applied immediately across all affected systems. Although this vulnerability is not currently listed on the CISA KEV list, its severity makes it a prime candidate for future inclusion. Do not delay patching.