Dokploy: 10 Critical Flaws Disclosed — Path Traversal, RCE, and Hardcoded Secret
Ten vulnerabilities hit the self-hosted PaaS Dokploy on May 29, 2026, including a hardcoded auth secret (CVSS 10.0) and multiple command injection bugs that give attackers full server control.
Key findings
- CVE-2026-45631 (CVSS 10.0) uses hardcoded BETTER_AUTH_SECRET 'better-auth-secret-123456789' for unauthenticated admin takeover
- Five command injection CVEs allow authenticated RCE via unsanitized shell interpolation
- CVE-2026-45661 enables path traversal for arbitrary file writes during deployment
- CVE-2026-45632 and CVE-2026-43917 expose missing org-scoping checks across multiple endpoints
- Affected versions span 0.19.0 through 0.29.3; patches available in 0.29.3 and later
On May 29, 2026, a batch of ten CVEs was disclosed for Dokploy, a free, self-hostable Platform as a Service (PaaS) used by developers to deploy and manage containerized applications. The disclosure spans versions from 0.19.0 through 0.29.3 and includes eight Critical-severity bugs, one High-severity issue, and one Medium-severity authorization flaw. The most severe of the batch, CVE-2026-45631, carries a CVSSv3 score of 10.0 — a hardcoded BETTER_AUTH_SECRET fallback that lets any unauthenticated attacker forge email verification JWTs, auto-sign in as admin, and execute commands on the host via Dokploy's built-in SSH terminal.
Path traversal and arbitrary file write
CVE-2026-45661 (CVSS 9.9) is a critical path traversal vulnerability in Dokploy 0.26.5 and earlier. An authenticated user can write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this bug can lead to full server compromise. The traversal occurs during the deployment pipeline where file paths are not properly sanitized before being written to disk.
Command injection cluster — the dominant theme
The largest thematic group in this batch is command injection, with five CVEs sharing the same root cause: unsanitized user input interpolated into shell commands executed via child_process.exec() or similar mechanisms.
CVE-2026-45633(CVSS 9.9) targets the/docker-container-logsWebSocket endpoint. Thetailandsinceparameters are concatenated directly into shell commands without validation, allowing authenticated users to inject arbitrary commands.CVE-2026-45628(CVSS 9.6) affects Dokploy 0.29.2 and earlier. The application constructs shell commands using JavaScript template literals and executes them viachild_process.exec()(which runs through/bin/sh -c). User-supplied branch names, repository URLs, and Docker credentials are interpolated directly, enabling authenticated command injection.CVE-2026-45630(CVSS 9.0) is an authenticated OS command injection in theapplication.updateTraefikConfigtRPC endpoint. Admin and owner users can execute arbitrary system commands on remote servers via unsanitizedechoshell interpolation.CVE-2026-45629(CVSS 9.9) affects the/listen-deploymentWebSocket endpoint. Any organization member can execute arbitrary system commands on remote servers managed by Dokploy, leading to full server compromise.CVE-2026-45663(CVSS 9.9) is a command injection in the Docker file upload functionality. When an authenticated user uploads a file to a container, thedestinationPathparameter is not sanitized and is directly interpolated into a shell command.
Shell escaping gaps in registry operations
CVE-2026-45662 (CVSS 8.8, High severity) affects Dokploy 0.29.0 and earlier. The deleteRegistry function in packages/server/src/services/registry.ts executes docker logout ${response.registryUrl} without shell escaping. Notably, the adjacent docker login command in the same file correctly uses shEscape(), making this an inconsistent sanitization gap that attackers can exploit.
Authorization bypass and missing org scoping
CVE-2026-45632 (CVSS 9.9) targets the schedule router in Dokploy 0.26.7 and earlier. The router does not enforce organization or role checks, meaning any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId or serverId. Schedule types served by this router include backup schedules, deployment schedules, and restart schedules — all of which can be manipulated by unauthorized users.
CVE-2026-43917 (CVSS Medium) is a broader authorization issue affecting Dokploy 0.19.0 and earlier. The protectedProcedure middleware only verifies that a user is authenticated — it does not enforce organization scoping. Each endpoint must individually verify that the resource's organization matches the session's activeOrganizationId, but many endpoints fail to do so, creating a systemic authorization gap.
Hardcoded secret — the crown jewel
CVE-2026-45631 (CVSS 10.0) is the most critical vulnerability in this batch. From version 0.27.0 to before 0.29.3, Dokploy shipped with a hardcoded BETTER_AUTH_SECRET fallback value of "better-auth-secret-123456789". This allows an unauthenticated attacker to forge email verification JWTs, trigger auto-sign-in as an administrator, and then execute commands on the host via the built-in SSH terminal feature. No authentication is required to exploit this bug — the attacker only needs network access to a vulnerable Dokploy instance.
Patch status and response
The Dokploy project has addressed these vulnerabilities across multiple releases. Users should upgrade to the latest available version. Specific patched versions include 0.29.3 (which fixes CVE-2026-45631 and the hardcoded secret issue) and later releases that address the command injection and path traversal bugs. Given the severity and breadth of this batch — particularly the hardcoded secret that bypasses all authentication — any instance running a version between 0.19.0 and 0.29.3 should be treated as compromised until patched and audited.
Why this matters
Dokploy is used by development teams to manage production and staging infrastructure. The concentration of command injection bugs, combined with a hardcoded auth secret that grants unauthenticated admin access, means that a single unpatched instance can be fully compromised from the internet. Organizations running Dokploy should prioritize patching, rotate all secrets and credentials on affected systems, and audit logs for signs of unauthorized access or command execution.