CVE-2026-43917
Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dokploy 0.19.0 and earlier lacks organization-scoping checks on 25+ endpoints, allowing authenticated users to access other organizations' resources.
Vulnerability
Dokploy versions 0.19.0 and earlier are affected by a missing organization-scoping check in the protectedProcedure middleware. The middleware only verifies authentication, but does not validate that the requested resource belongs to the user's active organization. This affects over 25 endpoints across multiple tRPC routers, including deployment.ts (allByType, killProcess, removeDeployment), rollbacks.ts (delete), backup.ts (numerous endpoints including create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, listBackupFiles), volume-backups.ts (six endpoints), cluster.ts (getNodes, removeWorker, addWorker, addManager), and mount.ts (create). Correctly secured endpoints in the same routers perform an organization ID check by comparing the resource's organization ID with ctx.session.activeOrganizationId. [1]
Exploitation
An attacker must be an authenticated user in any organization. They can obtain resource IDs (e.g., deployment, backup, or cluster IDs) belonging to another organization through enumeration or other means. By calling the vulnerable tRPC endpoints with those IDs, the attacker can retrieve, modify, or delete resources that should be scoped to the target organization. No additional privileges or user interaction are required beyond authentication. [1]
Impact
An authenticated attacker can read, modify, or delete resources (deployments, backups, volumes, cluster nodes, mounts, rollbacks) belonging to any other organization. This constitutes unauthorized access to sensitive data, potential data loss, and disruption of services. The attacker gains the same level of access as the owner of the resource, but without authorization. [1]
Mitigation
As of the published advisory, no fixed version is listed. The advisory was published on 2026-05-29. Users should apply the recommended fix: ensure every tRPC endpoint that accesses resources verifies that the resource's organization ID matches ctx.session.activeOrganizationId, following the pattern used in correctly secured endpoints. Until a patched version is released, administrators should monitor for unauthorized access and consider deploying a reverse-proxy or WAF to restrict API calls. [1]
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
16ff06576d00dfix(dockerfile): update Railpack installation script to use bash
1 file changed · +1 −1
Dockerfile+1 −1 modified@@ -57,7 +57,7 @@ RUN curl -sSL https://nixpacks.com/install.sh -o install.sh \ # Install Railpack ARG RAILPACK_VERSION=0.0.37 -RUN curl -sSL https://railpack.com/install.sh | sh +RUN curl -sSL https://railpack.com/install.sh | bash # Install buildpacks COPY --from=buildpacksio/pack:0.35.0 /usr/local/bin/pack /usr/local/bin/pack
Vulnerability mechanics
Root cause
"The protectedProcedure middleware only verifies authentication and does not enforce organization scoping, leaving each endpoint to individually check resource ownership."
Attack vector
An authenticated attacker can access, modify, or delete resources belonging to other organizations by simply switching their session's `activeOrganizationId` or by directly calling endpoints that lack organization-scoping checks. No special network position is required beyond being an authenticated user of the Dokploy instance. The affected endpoints include operations on deployments, rollbacks, backups, volume backups, cluster nodes, and mounts [patch_id=3104649].
Affected code
The vulnerability affects multiple endpoints across `deployment.ts`, `rollbacks.ts`, `backup.ts`, `volume-backups.ts`, `cluster.ts`, and `mount.ts`. The `protectedProcedure` middleware only checks authentication but does not enforce organization scoping, leaving each endpoint responsible for verifying that the resource's organization matches the session's `activeOrganizationId`.
What the fix does
The advisory does not include a code-level patch that adds organization-scoping checks; the referenced commit `6ff06576d00dad06890ff074fd39662f3964d464` only changes `sh` to `bash` in a Dockerfile and is unrelated to the vulnerability. No fix for the missing organization scoping is shown in the supplied bundle.
Preconditions
- authThe attacker must be an authenticated user of the Dokploy instance.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.