10 Critical Flaws Disclosed in Dokploy PaaS — Hardcoded Auth Secret and Command Injection Bugs Expose Servers
Ten vulnerabilities, including a CVSS 10.0 hardcoded authentication secret and multiple command injection flaws, were disclosed in the self-hosted PaaS Dokploy on May 29, 2026, allowing unauthenticated admin takeover and full server compromise.
On May 29, 2026, a batch of ten CVEs was disclosed for Dokploy, a free, self-hosted Platform as a Service (PaaS) used by developers to deploy and manage containerized applications. The disclosure spans versions from 0.19.0 through 0.29.3 and includes eight Critical-severity bugs, one High-severity issue, and one Medium-severity authorization flaw. The most severe of the batch, CVE-2026-45631, carries a CVSSv3 score of 10.0 — a hardcoded BETTER_AUTH_SECRET fallback that lets any unauthenticated attacker forge email verification JWTs, auto-sign in as admin, and execute commands on the host via Dokploy's built-in SSH terminal.
The largest thematic group in this batch is command injection, with five CVEs sharing the same root cause: unsanitized user input interpolated into shell commands executed via child_process.exec() or similar mechanisms. CVE-2026-45633 (CVSS 9.9) targets the /docker-container-logs WebSocket endpoint, where the tail and since parameters are concatenated directly into shell commands without validation. CVE-2026-45628 (CVSS 9.6) affects Dokploy 0.29.2 and earlier, where user-supplied branch names, repository URLs, and Docker credentials are interpolated directly into shell commands. CVE-2026-45630 (CVSS 9.0) is an authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint, allowing admin and owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation. CVE-2026-45629 (CVSS 9.9) affects the /listen-deployment WebSocket endpoint, where any organization member can execute arbitrary system commands on remote servers managed by Dokploy. CVE-2026-45663 (CVSS 9.9) is a command injection in the Docker file upload functionality, where the destinationPath parameter is not sanitized and is directly interpolated into a shell command.
CVE-2026-45661 (CVSS 9.9) is a critical path traversal vulnerability in Dokploy 0.26.5 and earlier. An authenticated user can write arbitrary files to the filesystem during application deployment. When combined with Dokploy's remote server deployment feature, this bug can lead to full server compromise. The traversal occurs during the deployment pipeline where file paths are not properly sanitized before being written to disk.
CVE-2026-45662 (CVSS 8.8, High severity) affects Dokploy 0.29.0 and earlier. The deleteRegistry function in packages/server/src/services/registry.ts executes docker logout ${response.registryUrl} without shell escaping. Notably, the adjacent docker login command in the same file correctly uses shEscape(), making this an inconsistent sanitization gap that attackers can exploit.
Two authorization bypass vulnerabilities were also disclosed. CVE-2026-45632 (CVSS 9.9) targets the schedule router in Dokploy 0.26.7 and earlier, where the router does not enforce organization or role checks, meaning any authenticated user can create, update, run, or delete schedules belonging to other organizations. CVE-2026-43917 (CVSS Medium) is a broader authorization issue affecting Dokploy 0.19.0 and earlier, where the protectedProcedure middleware only verifies that a user is authenticated — it does not enforce organization scoping, creating a systemic authorization gap across many endpoints.
The crown jewel of this batch is CVE-2026-45631 (CVSS 10.0). From version 0.27.0 to before 0.29.3, Dokploy shipped with a hardcoded BETTER_AUTH_SECRET fallback value of "better-auth-secret-123456789". This allows an unauthenticated attacker to forge email verification JWTs, trigger auto-sign-in as an administrator, and then execute commands on the host via the built-in SSH terminal feature. No authentication is required to exploit this bug — the attacker only needs network access to a vulnerable Dokploy instance.
The Dokploy project has addressed these vulnerabilities across multiple releases. Users should upgrade to the latest available version. Specific patched versions include 0.29.3 (which fixes CVE-2026-45631 and the hardcoded secret issue) and later releases that address the command injection and path traversal bugs. Given the severity and breadth of this batch — particularly the hardcoded secret that bypasses all authentication — any instance running a version between 0.19.0 and 0.29.3 should be treated as compromised until patched and audited.
Dokploy is used by development teams to manage production and staging infrastructure. The concentration of command injection bugs, combined with a hardcoded auth secret that grants unauthenticated admin access, means that a single unpatched instance can be fully compromised by an attacker with network access. This disclosure follows a broader trend of critical vulnerabilities in open-source PaaS and DevOps tools, underscoring the importance of rigorous input validation and the dangers of shipping hardcoded secrets in any software.