diff --git a/app/Actions/Server/StartSentinel.php b/app/Actions/Server/StartSentinel.php
index 1f248aec1..071f3ec46 100644
--- a/app/Actions/Server/StartSentinel.php
+++ b/app/Actions/Server/StartSentinel.php
@@ -4,6 +4,7 @@
 
 use App\Events\SentinelRestarted;
 use App\Models\Server;
+use App\Models\ServerSetting;
 use Lorisleiva\Actions\Concerns\AsAction;
 
 class StartSentinel
@@ -23,6 +24,9 @@ public function handle(Server $server, bool $restart = false, ?string $latestVer
         $refreshRate = data_get($server, 'settings.sentinel_metrics_refresh_rate_seconds');
         $pushInterval = data_get($server, 'settings.sentinel_push_interval_seconds');
         $token = data_get($server, 'settings.sentinel_token');
+        if (! ServerSetting::isValidSentinelToken($token)) {
+            throw new \RuntimeException('Invalid sentinel token format. Token must contain only alphanumeric characters, dots, hyphens, and underscores.');
+        }
         $endpoint = data_get($server, 'settings.sentinel_custom_url');
         $debug = data_get($server, 'settings.is_sentinel_debug_enabled');
         $mountDir = '/data/coolify/sentinel';
@@ -49,7 +53,7 @@ public function handle(Server $server, bool $restart = false, ?string $latestVer
             }
             $mountDir = '/var/lib/docker/volumes/coolify_dev_coolify_data/_data/sentinel';
         }
-        $dockerEnvironments = '-e "'.implode('" -e "', array_map(fn ($key, $value) => "$key=$value", array_keys($environments), $environments)).'"';
+        $dockerEnvironments = implode(' ', array_map(fn ($key, $value) => '-e '.escapeshellarg("$key=$value"), array_keys($environments), $environments));
         $dockerLabels = implode(' ', array_map(fn ($key, $value) => "$key=$value", array_keys($labels), $labels));
         $dockerCommand = "docker run -d $dockerEnvironments --name coolify-sentinel -v /var/run/docker.sock:/var/run/docker.sock -v $mountDir:/app/db --pid host --health-cmd \"curl --fail http://127.0.0.1:8888/api/health || exit 1\" --health-interval 10s --health-retries 3 --add-host=host.docker.internal:host-gateway --label $dockerLabels $image";
 
diff --git a/app/Livewire/Server/Sentinel.php b/app/Livewire/Server/Sentinel.php
index cdcdc71fc..dff379ae1 100644
--- a/app/Livewire/Server/Sentinel.php
+++ b/app/Livewire/Server/Sentinel.php
@@ -19,7 +19,7 @@ class Sentinel extends Component
 
     public bool $isMetricsEnabled;
 
-    #[Validate(['required'])]
+    #[Validate(['required', 'string', 'max:500', 'regex:/\A[a-zA-Z0-9._\-+=\/]+\z/'])]
     public string $sentinelToken;
 
     public ?string $sentinelUpdatedAt = null;
diff --git a/app/Models/ServerSetting.php b/app/Models/ServerSetting.php
index 0ad0fcf84..504cfa60a 100644
--- a/app/Models/ServerSetting.php
+++ b/app/Models/ServerSetting.php
@@ -92,6 +92,15 @@ protected static function booted()
         });
     }
 
+    /**
+     * Validate that a sentinel token contains only safe characters.
+     * Prevents OS command injection when the token is interpolated into shell commands.
+     */
+    public static function isValidSentinelToken(string $token): bool
+    {
+        return (bool) preg_match('/\A[a-zA-Z0-9._\-+=\/]+\z/', $token);
+    }
+
     public function generateSentinelToken(bool $save = true, bool $ignoreEvent = false)
     {
         $data = [
diff --git a/app/Traits/HasMetrics.php b/app/Traits/HasMetrics.php
index 667d58441..7ed82cc91 100644
--- a/app/Traits/HasMetrics.php
+++ b/app/Traits/HasMetrics.php
@@ -2,6 +2,8 @@
 
 namespace App\Traits;
 
+use App\Models\ServerSetting;
+
 trait HasMetrics
 {
     public function getCpuMetrics(int $mins = 5): ?array
@@ -26,8 +28,13 @@ private function getMetrics(string $type, int $mins, string $valueField): ?array
         $from = now()->subMinutes($mins)->toIso8601ZuluString();
         $endpoint = $this->getMetricsEndpoint($type, $from);
 
+        $token = $server->settings->sentinel_token;
+        if (! ServerSetting::isValidSentinelToken($token)) {
+            throw new \Exception('Invalid sentinel token format. Please regenerate the token.');
+        }
+
         $response = instant_remote_process(
-            ["docker exec coolify-sentinel sh -c 'curl -H \"Authorization: Bearer {$server->settings->sentinel_token}\" {$endpoint}'"],
+            ["docker exec coolify-sentinel sh -c 'curl -H \"Authorization: Bearer {$token}\" {$endpoint}'"],
             $server,
             false
         );
diff --git a/tests/Feature/SentinelTokenValidationTest.php b/tests/Feature/SentinelTokenValidationTest.php
new file mode 100644
index 000000000..43048fcaa
--- /dev/null
+++ b/tests/Feature/SentinelTokenValidationTest.php
@@ -0,0 +1,95 @@
+<?php
+
+use App\Models\Server;
+use App\Models\ServerSetting;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+
+uses(RefreshDatabase::class);
+
+beforeEach(function () {
+    $user = User::factory()->create();
+    $this->team = $user->teams()->first();
+
+    $this->server = Server::factory()->create([
+        'team_id' => $this->team->id,
+    ]);
+});
+
+describe('ServerSetting::isValidSentinelToken', function () {
+    it('accepts alphanumeric tokens', function () {
+        expect(ServerSetting::isValidSentinelToken('abc123'))->toBeTrue();
+    });
+
+    it('accepts tokens with dots, hyphens, and underscores', function () {
+        expect(ServerSetting::isValidSentinelToken('my-token_v2.0'))->toBeTrue();
+    });
+
+    it('accepts long base64-like encrypted tokens', function () {
+        $token = 'eyJpdiI6IjRGN0V4YnRkZ1p0UXdBPT0iLCJ2YWx1ZSI6IjZqQT0iLCJtYWMiOiIxMjM0NTY3ODkwIn0';
+        expect(ServerSetting::isValidSentinelToken($token))->toBeTrue();
+    });
+
+    it('accepts tokens with base64 characters (+, /, =)', function () {
+        expect(ServerSetting::isValidSentinelToken('abc+def/ghi='))->toBeTrue();
+    });
+
+    it('rejects tokens with double quotes', function () {
+        expect(ServerSetting::isValidSentinelToken('abc" ; id ; echo "'))->toBeFalse();
+    });
+
+    it('rejects tokens with single quotes', function () {
+        expect(ServerSetting::isValidSentinelToken("abc' ; id ; echo '"))->toBeFalse();
+    });
+
+    it('rejects tokens with semicolons', function () {
+        expect(ServerSetting::isValidSentinelToken('abc;id'))->toBeFalse();
+    });
+
+    it('rejects tokens with backticks', function () {
+        expect(ServerSetting::isValidSentinelToken('abc`id`'))->toBeFalse();
+    });
+
+    it('rejects tokens with dollar sign command substitution', function () {
+        expect(ServerSetting::isValidSentinelToken('abc$(whoami)'))->toBeFalse();
+    });
+
+    it('rejects tokens with spaces', function () {
+        expect(ServerSetting::isValidSentinelToken('abc def'))->toBeFalse();
+    });
+
+    it('rejects tokens with newlines', function () {
+        expect(ServerSetting::isValidSentinelToken("abc\nid"))->toBeFalse();
+    });
+
+    it('rejects tokens with pipe operator', function () {
+        expect(ServerSetting::isValidSentinelToken('abc|id'))->toBeFalse();
+    });
+
+    it('rejects tokens with ampersand', function () {
+        expect(ServerSetting::isValidSentinelToken('abc&&id'))->toBeFalse();
+    });
+
+    it('rejects tokens with redirection operators', function () {
+        expect(ServerSetting::isValidSentinelToken('abc>/tmp/pwn'))->toBeFalse();
+    });
+
+    it('rejects empty strings', function () {
+        expect(ServerSetting::isValidSentinelToken(''))->toBeFalse();
+    });
+
+    it('rejects the reported PoC payload', function () {
+        expect(ServerSetting::isValidSentinelToken('abc" ; id >/tmp/coolify_poc_sentinel ; echo "'))->toBeFalse();
+    });
+});
+
+describe('generated sentinel tokens are valid', function () {
+    it('generates tokens that pass format validation', function () {
+        $settings = $this->server->settings;
+        $settings->generateSentinelToken(save: false, ignoreEvent: true);
+        $token = $settings->sentinel_token;
+
+        expect($token)->not->toBeEmpty();
+        expect(ServerSetting::isValidSentinelToken($token))->toBeTrue();
+    });
+});