Critical Dokploy Vulnerabilities: Immediate Upgrade to 0.29.3 Required
securityself-hostingvulnerabilitydokploypaas
trending_upTrend: security

Critical Dokploy Vulnerabilities: Immediate Upgrade to 0.29.3 Required

calendar_month June 1, 2026 update Updated: June 1, 2026

Summary

Dokploy, a popular self-hostable Platform-as-a-Service (PaaS) solution, is facing several critical security vulnerabilities. CVE-2026-45630 and CVE-2026-45631 allow attackers to completely take over instances and execute arbitrary code. An immediate upgrade to version 0.29.3 or later is strongly recommended.

What happened?

In the last 24 hours, several critical CVEs have been released for Dokploy. Of particular concern are:

  • CVE-2026-45631: Allows for admin takeover without prior authentication (Pre-Auth Admin Takeover).
  • CVE-2026-45630: Allows authenticated users to execute code on the remote server (Authenticated RCE).
  • These vulnerabilities affect versions prior to 0.29.3. The developer has already released patches.

Why it matters

Dokploy is widely used by developers and the self-hosting community to manage applications efficiently. Since Dokploy has direct access to Docker sockets and server resources, a compromise of the Dokploy instance typically means full control over the underlying server. A pre-auth exploit makes any publicly accessible instance immediately vulnerable.

Evidence

The vulnerabilities have been documented in official advisories and CVE databases. Security advisories have been published on GitHub detailing the technical aspects of the flaws. Security tools like Mondoo have already rated the severity of these vulnerabilities as “CRITICAL.”

Analysis

The cluster of critical vulnerabilities suggests an intensive security review of the 0.29.x branch. The combination of pre-auth admin takeover and RCE is a worst-case scenario for any PaaS solution. It highlights the need for self-hosters to secure their infrastructure tools behind VPNs or access proxies (such as Cloudflare Access or Tailscale) instead of exposing them directly to the internet.

Practical Takeaways

  • Immediate Update: Update your Dokploy instance to version 0.29.3 immediately.
  • Restrict Access: Ensure that the Dokploy dashboard is not publicly accessible. Use VPNs or IP whitelists.
  • Check Logs: Inspect your server logs for any unusual activity or unauthorized admin logins over the past few days.

Open Questions

  • How many instances were already compromised before the patches became available?
  • Are there further undiscovered vulnerabilities in the current branch that might soon emerge due to increased interest from security researchers (and attackers)?

Sources

  1. CVE-2026-45630: Authenticated RCE in Dokploy
  2. CVE-2026-45631: Pre-Auth Admin Takeover
  3. Dokploy Security Advisories on GitHub
  4. Mondoo Vulnerability Intelligence