Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig …

CVE-2026-45630 affects Dokploy, a free self-hostable Platform as a Service (PaaS) solution. The vulnerability exists in versions 0.28.8 and earlier, where authenticated OS command injection can occur through the application.updateTraefikConfig tRPC endpoint. Admin and owner users can exploit this flaw to execute arbitrary system commands on remote servers due to unsanitized echo shell interpolation. This represents a critical security issue as it allows privileged users to gain unauthorized command execution capabilities on the underlying system infrastructure.