PatchSiren cyber security CVE debrief
CVE-2026-43917 Dokploy CVE debrief
CVE-2026-43917 documents an authorization bypass in Dokploy, a self-hostable Platform-as-a-Service (PaaS) solution. In versions 0.19.0 and earlier, the `protectedProcedure` middleware authenticates users but fails to enforce organization-level scoping. This allows authenticated users to access or manipulate resources across organizational boundaries without explicit permission checks at the middleware layer. Individual API endpoints must implement their own organization validation, but numerous endpoints—including deployment management, backup operations, cluster configuration, and volume handling—lack these checks. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The issue was disclosed on May 29, 2026, with a CVSS 4.0 score of 5.3 (Medium severity).
- Vendor
- Dokploy
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running multi-tenant Dokploy deployments with version 0.19.0 or earlier; security teams responsible for PaaS infrastructure authorization controls; developers building on Dokploy who rely on organization-based access isolation
Technical summary
The `protectedProcedure` middleware in Dokploy ≤0.19.0 performs authentication but omits organization scoping validation. This architectural gap requires each API endpoint to independently verify that the requested resource belongs to the user's active organization (`activeOrganizationId`). Multiple critical endpoints across deployment, backup, cluster, and volume management modules lack this validation, enabling authenticated users to perform operations on resources outside their organizational scope. The vulnerability affects endpoints in: deployment.ts (allByType, killProcess, removeDeployment), rollbacks.ts (delete), backup.ts (create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, listBackupFiles), volume-backups.ts (list, one, delete, update, runManually, restoreVolumeBackupWithLogs), cluster.ts (getNodes, removeWorker, addWorker, addManager), and mount.ts (create).
Defensive priority
medium
Recommended defensive actions
- Upgrade Dokploy to a version newer than 0.19.0 that implements organization scoping in the protectedProcedure middleware
- Review custom middleware implementations to ensure organization-level authorization checks are enforced at the middleware layer rather than relying on individual endpoint validation
- Audit access logs for cross-organization resource access patterns that may indicate exploitation
- Implement defense-in-depth by adding organization scoping checks to all affected endpoints (deployment.ts, rollbacks.ts, backup.ts, volume-backups.ts, cluster.ts, mount.ts) if immediate patching is not feasible
- Consider network segmentation or additional authentication layers for multi-tenant Dokploy deployments until remediation is complete
Evidence notes
Vulnerability confirmed via GitHub Security Advisory GHSA-f8wj-5c4w-frhg. Affected endpoints explicitly enumerated in CVE description. CVSS 4.0 vector provided in NVD metadata.
Official resources
-
CVE-2026-43917 CVE record
CVE.org
-
CVE-2026-43917 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29