Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45629 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-45629 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45629 is an authenticated OS command injection vulnerability in Dokploy, a self-hostable open-source Platform as a Service application, specifically affecting the /listen-deployment WebSocket endpoint in version 0.28.8 and earlier.

Technical Detail

The flaw exists in the WebSocket handler at /listen-deployment, where user-supplied input is passed to an OS-level command without adequate sanitization or escaping, enabling command injection by any authenticated organization member regardless of their privilege level within the platform. An attacker with a valid account in any organization on the Dokploy instance can send a crafted WebSocket message to this endpoint to execute arbitrary commands on the underlying host operating system. The practical impact is unauthenticated-equivalent remote code execution from the perspective of the host, since the authentication barrier is low and the resulting access is at the OS level, potentially compromising the entire server and any workloads managed by the PaaS.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of June 05, 2026. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Despite the absence of a confirmed exploit, the CVSS score of 9.9 Critical and the low privilege requirement make this a high-priority candidate for exploitation once details become more widely known.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this CVE as of the date of this briefing.

What To Do

Organizations running Dokploy should upgrade to a patched release above version 0.28.8 immediately, treating this as a critical priority given the CVSS score and the low barrier to exploitation for any authenticated user. If an immediate upgrade is not feasible, restrict access to the Dokploy instance by limiting WebSocket connectivity to trusted IP ranges or placing the management interface behind a VPN or authenticated reverse proxy to reduce the attack surface. Audit organization membership to ensure no unauthorized or low-trust accounts exist on the platform. Monitor WebSocket traffic to the /listen-deployment endpoint for anomalous or unexpected payloads as a detection signal. Check the official Dokploy GitHub repository and release notes for the specific patched version and any additional guidance from the maintainers.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →