VYPR
Critical severity10.0NVD Advisory· Published May 29, 2026· Updated Jun 1, 2026

CVE-2026-45631

CVE-2026-45631

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Dokploy/Dokployreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: >=0.27.0 <0.29.3

Patches

Vulnerability mechanics

References

2

News mentions

1