Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45633 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-45633 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45633 is a command injection vulnerability in Dokploy, a self-hostable open-source Platform as a Service application, specifically affecting the /docker-container-logs WebSocket endpoint in version 0.26.6 and earlier.

Technical Detail

The flaw exists in how the /docker-container-logs WebSocket endpoint handles user-supplied parameters, specifically the tail argument and at least one additional parameter, which are passed unsanitized into a shell command. An attacker who can reach this endpoint can inject arbitrary shell commands by manipulating these parameters, resulting in remote code execution (RCE) on the host running the Dokploy instance. Given that Dokploy manages containerized infrastructure and typically runs with elevated privileges, successful exploitation could allow full compromise of the underlying host and any managed workloads.

Exploitation Status

No known exploit code has been publicly observed or confirmed as of June 05, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Despite the absence of a confirmed exploit, the critical CVSS score of 9.9 and the straightforward nature of command injection flaws mean that weaponization is technically accessible to moderately skilled attackers once the vulnerability details are widely known.

Who Is Targeting This

No specific threat actor attribution at this time. No confirmed or reported threat actor activity has been associated with this vulnerability as of the date of this briefing.

What To Do

Operators running Dokploy should upgrade to a patched release above version 0.26.6 immediately, treating this as a high-priority patch given the critical severity rating and the RCE impact. If an immediate upgrade is not possible, restrict network access to the Dokploy management interface and the WebSocket endpoint at the network perimeter, ensuring that only trusted, authenticated users can reach the service. Operators should also audit logs for unexpected WebSocket connections to the /docker-container-logs endpoint and look for anomalous process execution originating from the Dokploy process tree as a detection signal. Self-hosted deployments exposed to the internet should be treated as highest priority for remediation.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →