An authenticated, low-privileged user without belonging to any organisation can run arbitrary OS commands on the Dokploy host.

Impact

An authenticated, low-privileged user without belonging to any organisation can run
arbitrary OS commands on the Dokploy host. The tRPC procedure
docker.getContainersByAppNameMatch interpolates the attacker-supplied appName
value into a Docker CLI call without sanitisation, enabling command injection under the
Dokploy service account.

Patches

v0.23.7

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

An authenticated, low-privileged user without belonging to any organisation can run arbitrary OS commands on the Dokploy host.

Package

Affected versions

Patched versions

Description

Impact

Patches

Severity

CVE ID

Weaknesses

Credits