Dokploy Vulnerability Wave: Three New Critical RCE and Command Injection CVEs
dokploy security vulnerability-topic self-hosting open-source
trending_up Trend: dokploy

Dokploy Vulnerability Wave: Three New Critical RCE and Command Injection CVEs

calendar_month June 9, 2026 update Updated: June 11, 2026

🔄 Update — 11 June 2026: Critical CVSS 10/10 Hardcoded Secret Vulnerability (CVE-2026-45631) Discovered

A new critical vulnerability (CVE-2026-45631) with a maximum CVSS score of 10.0 has been identified in Dokploy (versions 0.27.0 to 0.29.2). A hardcoded authentication secret allows unauthenticated remote attackers to forge JWT tokens, bypass admin authorization, and achieve remote code execution on the host. Maintainers have released version 0.29.3 to address this flaw.

What’s new?

  • CVE-2026-45631 (CVSS 10.0): Discovery of a hardcoded authentication secret (better-auth-secret-123456789) in the code, allowing complete authentication bypass.
  • WebSocket RCE (CVE-2026-45629): An additional remote command execution vulnerability has been patched in the WebSocket terminal endpoint.
  • Emergency Patch Release: Dokploy version 0.29.3 is now available, which rotates the secret and secures the endpoints.

Why this adds to the article

This critical update highlights a worsening security wave for Dokploy, upgrading the risk from authenticated RCEs to unauthenticated, zero-day host takeover threats.

Summary

Three critical vulnerabilities have been discovered in the open-source self-hosted PaaS platform Dokploy, allowing authenticated users to perform Remote Code Execution (RCE) and OS Command Injection. The security flaws reside in the command execution process, the schedule router, and the Traefik configuration endpoint. Attackers can exploit these issues to execute unauthorized shell scripts on the host or remote managed servers. Patches have been released by the maintainers.

What happened?

In recent days, details on three major vulnerabilities in Dokploy were published:

  • CVE-2026-45632 (CVSS 9.9): An authorization bypass in the schedule router (versions 0.26.7 and earlier). An authenticated user can bypass organization checks to modify schedules, executing arbitrary shell scripts on the Dokploy host or remote servers.
  • CVE-2026-45628 (CVSS 9.9): A command injection vulnerability (versions 0.29.2 and earlier). Dokploy builds CLI command strings using template literals and runs them via child_process.exec(). Malicious inputs in branch names, repository URLs, or credentials lead directly to RCE.
  • CVE-2026-45630 (CVSS 9.0): Authenticated command injection in application.updateTraefikConfig (versions 0.28.8 and earlier). High-privilege admin accounts can inject shell metacharacters into the Traefik config update flow to gain remote code execution on target hosts.

Why it matters

Dokploy is widely used as a self-hosted alternative to platforms like Heroku or Vercel. Because the backend runs with access to the system Docker socket, RCE on Dokploy represents a complete compromise of all hosted applications, secrets, and customer databases. An attacker can pivot across tenant boundaries, leak sensitive environment variables, or seize control of remote managed servers.

Evidence

  • Security Databases: Detailed advisories are listed in the SentinelOne Vulnerability Database and Yutori Scouts.
  • Vendor Advisories: GitHub Security Advisories GHSA-7wmr-57mg-h5q6, GHSA-3frc-cfh9-ch2c, and GHSA-p787-6gqg-cvp5 confirm the implementation bugs and coordinate the patch releases.

Analysis

These vulnerabilities underscore classical coding flaws in web-based operations tooling. Relying on string concatenation and interpolation for CLI command building instead of safe parameter APIs (like spawn with an arguments array) exposes applications to injection vectors. Additionally, failing to validate object ownership (IDOR) on scheduling routers allows low-privileged tenants to interact with high-privileged resources.

Practical Takeaways

Administrators running Dokploy should take immediate action:

  1. Upgrade Dokploy: Move to the latest patched version immediately (past version 0.29.2).
  2. Restrict Access: Ensure the Dokploy management UI is behind a VPN or protected by Nginx/Firewall IP allow-lists.
  3. Disable Self-Registration: Turn off public registrations to prevent unauthorized actors from obtaining authenticated API sessions.
  4. Rotate Secrets: Rotate SSH keys, registry credentials, and API tokens stored in Dokploy that may have been exposed.

Open Questions

  • Are there active exploits circulating in the wild targeting these specific endpoints?
  • How many internet-exposed self-hosted Dokploy instances remain unpatched and vulnerable?

Sources

  1. SentinelOne: CVE-2026-45632: Dokploy Schedule Router RCE Vulnerability
  2. SentinelOne: CVE-2026-45628: Dokploy Command Injection RCE Vulnerability
  3. SentinelOne: CVE-2026-45630: Dokploy Command Injection Vulnerability
  4. Scouts by Yutori: Security and compliance breaking updates