diff --git a/CHANGES b/CHANGES
index da610168b..95bc7fde0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2012,4 +2012,5 @@
 
 [5.4.0]
 * Update nginx to 1.18 for various security fixes
+* Add ping capability (for statping app)
 
diff --git a/package-lock.json b/package-lock.json
index fe2c5ed0f..791798220 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -741,9 +741,9 @@
       }
     },
     "cloudron-manifestformat": {
-      "version": "5.4.0",
-      "resolved": "https://registry.npmjs.org/cloudron-manifestformat/-/cloudron-manifestformat-5.4.0.tgz",
-      "integrity": "sha512-MpgAMpBm3k14bH3lLaCUzcBtgC458Qx75blORHqTxJ83aGJp4P7+YYM/ABVGHVD0842OcR3JvQlCUT7+4cs6Cg==",
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/cloudron-manifestformat/-/cloudron-manifestformat-5.5.0.tgz",
+      "integrity": "sha512-Xf1vOwCFT5h1MZQ9fC8EyfL2jfpVlShg5r7est/ZA+vSzcbvk2nQxPmpk4q4e6iDfr19B7iUw2b2X7mw5c1Dlg==",
       "requires": {
         "cron": "^1.8.2",
         "java-packagename-regex": "^1.0.0",
diff --git a/package.json b/package.json
index 4ba4ad7b4..f80659d55 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
     "async": "^2.6.3",
     "aws-sdk": "^2.685.0",
     "body-parser": "^1.19.0",
-    "cloudron-manifestformat": "^5.4.0",
+    "cloudron-manifestformat": "^5.5.0",
     "connect": "^3.7.0",
     "connect-lastmile": "^2.0.0",
     "connect-timeout": "^1.9.0",
diff --git a/src/docker.js b/src/docker.js
index 592007104..ec17c09ca 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -307,7 +307,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
                 DnsSearch: ['.'], // use internal dns
                 SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
                 CapAdd: [],
-                CapDrop: [ 'NET_RAW' ] // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
+                CapDrop: []
             },
             NetworkingConfig: {
                 EndpointsConfig: {
@@ -319,8 +319,11 @@ function createSubcontainer(app, name, cmd, options, callback) {
         };
 
         var capabilities = manifest.capabilities || [];
+
+        // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
         if (capabilities.includes('net_admin')) containerOptions.HostConfig.CapAdd.push('NET_ADMIN', 'NET_RAW');
         if (capabilities.includes('mlock')) containerOptions.HostConfig.CapAdd.push('IPC_LOCK'); // mlock prevents swapping
+        if (!capabilities.includes('ping')) containerOptions.HostConfig.CapDrop.push('NET_RAW'); // NET_RAW is included by default by Docker
 
         containerOptions = _.extend(containerOptions, options);