A command injection vulnerability in Dokploy allows authenticated users to achieve root-level remote code execution.

The vulnerability exists in the /docker-container-logs WebSocket endpoint where the 'tail' and 'since' parameters are improperly validated before being concatenated into shell commands. This allows an authenticated user to escape the intended functionality and execute arbitrary commands with root privileges on the host system.

The exploitation of this vulnerability carries a CVSS score of 9.9, indicating a critical risk to the confidentiality, integrity, and availability of the hosting environment. Successful exploitation grants an attacker full root-level control over the server, facilitating complete system compromise, data theft, or the deployment of persistent backdoors.

Immediate Action: Upgrade Dokploy to version 0.26.7 or later immediately.

Proactive Monitoring: Audit WebSocket traffic logs for unusual 'tail' or 'since' parameter values and monitor system logs for unexpected shell process spawning.

Compensating Controls: Implement strict network access controls to limit access to the Dokploy management interface to trusted administrative IP addresses.

Public Exploit Available: None

Given the critical severity of this vulnerability, immediate patching is required to prevent unauthorized root-level access. Organizations utilizing Dokploy must prioritize upgrading to version 0.26.7 to eliminate the command injection vector.