VYPR
← All advisories
Critical severity9.9NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-45632

CVE-2026-45632

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dokploy 0.26.7 and earlier suffers from a missing authorization check in the schedule router, allowing any authenticated user to execute remote code on the host or target servers.

Vulnerability

In Dokploy versions 0.26.7 and earlier, the schedule router (apps/dokploy/server/api/routers/schedule.ts) fails to enforce organization or role-based access controls. This allows any authenticated user — even low-privilege members — to create, update, run, or delete schedules belonging to other organizations, provided they know the scheduleId or serverId. The two schedule types server and dokploy-server write executable scripts to the filesystem via packages/server/src/services/schedule.ts and execute them through packages/server/src/utils/schedules/utils.ts, enabling arbitrary command execution on the Dokploy host or any registered remote server [1].

Exploitation

An attacker needs only an authenticated session or valid API key with minimal permissions (e.g., a member user whose API/CLI access has been enabled). No additional user interaction or race condition is required. The attacker crafts a schedule with scheduleType: "dokploy-server" (for host RCE) or "server" (for remote server RCE) containing a malicious script payload via the schedule.create API endpoint. They then call schedule.runManually to trigger immediate execution. The proof-of-concept uses curl with the user's API key to send these requests, resulting in the script running on the target machine [1].

Impact

Successful exploitation grants an attacker arbitrary command execution on the Dokploy host (if using dokploy-server) or on any registered remote server (if using server). This can lead to full compromise of the Dokploy platform and all connected servers, including data exfiltration, lateral movement, and persistent backdoor installation. Unauthorized schedule deletion also enables denial-of-service abuse [1].

Mitigation

Dokploy has patched this vulnerability in version 0.26.8, released on 2026-05-29 according to the GitHub advisory [1]. All users running 0.26.7 or earlier should upgrade immediately. No workaround is available since the fix involves adding organization/role checks to the schedule router. The issue is not listed in CISA's Known Exploited Vulnerabilities (KEV) as of the publication date.

References
  1. Schedule Authorization Bypass Enables Host/Server Command Execution

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Dokploy/Dokployinferred2 versions
    <=0.26.7+ 1 more
    • (no CPE)range: <=0.26.7
    • (no CPE)range: <=0.26.7

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The schedule router never checks organizationId or role before invoking service methods, allowing any authenticated user to create, update, run, or delete schedules belonging to other organizations."

Attack vector

An authenticated attacker with a low-privileged member account and an API key can call `schedule.create` with `scheduleType: "dokploy-server"` and an arbitrary script payload, then invoke `schedule.runManually` to execute that script on the Dokploy host. No serverId is required for the host variant. The same technique works against registered remote servers by setting `scheduleType: "server"` and a known `serverId`. The schedule router never validates that the schedule or server belongs to the attacker's organization, nor does it enforce role restrictions [CWE-862] [ref_id=1].

Affected code

The vulnerability resides in `apps/dokploy/server/api/routers/schedule.ts` (create/update/delete/one/runManually/list) and the underlying service layer in `packages/server/src/services/schedule.ts` and `packages/server/src/utils/schedules/utils.ts`. These files lack organization and role authorization checks before writing or executing scripts on the host or remote servers [ref_id=1].

What the fix does

The advisory recommends enforcing organization and role checks on all schedule procedures, restricting `server` and `dokploy-server` schedule types to owner/admin roles, and validating that `serverId`/`scheduleId` belongs to the requester's `activeOrganizationId`. No patch diff is provided in the bundle, so the exact code changes are not visible; the fix must add authorization guards in the schedule router and service layer [ref_id=1].

Preconditions

  • authAttacker must have a valid authenticated session or API key for a member-level user.
  • inputAttacker must know the scheduleId or serverId (for remote server variant) or can use 'dokploy-server' type without a serverId.
  • networkThe Dokploy instance must be reachable over the network (HTTP/HTTPS).

Reproduction

As the member user, call `schedule.create` with `scheduleType: "dokploy-server"` and a script payload. Then call `schedule.runManually` with the returned `scheduleId`. Verify execution on the host (e.g., `cat /tmp/dokploy-pwn`). For remote server RCE, use `scheduleType: "server"` and a known `serverId`. Full curl examples are provided in the advisory [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.