PatchSiren cyber security CVE debrief
CVE-2026-45632 Dokploy CVE debrief
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions 0.26.7 and earlier, the schedule router does not enforce organization or role-based access controls. This allows any authenticated user to create, update, run, or delete schedules belonging to other organizations if they know the scheduleId or serverId. Schedule types 'server' and 'dokploy-server' write and execute scripts on the host or remote servers, enabling remote code execution on the Dokploy host or a target server.
- Vendor
- Dokploy
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running self-hosted Dokploy instances for multi-tenant or team-based deployments; DevOps and platform engineering teams managing Dokploy infrastructure; security teams responsible for container platform security and supply chain integrity
Technical summary
The schedule router in Dokploy 0.26.7 and earlier fails to validate that the requesting user belongs to the organization associated with the target schedule. The router endpoints accept scheduleId and serverId parameters without verifying organizational membership or role permissions. Schedule types 'server' and 'dokploy-server' execute user-supplied scripts on the target host. An attacker with any valid authentication token can enumerate or guess scheduleId/serverId values and submit malicious schedule payloads that execute arbitrary commands on the Dokploy host or connected remote servers. The vulnerability chain combines CWE-862 (Missing Authorization) with CWE-78 (OS Command Injection) to achieve network-accessible remote code execution with low attack complexity.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade to Dokploy version 0.26.8 or later which contains the security fix
- Review all existing schedules for unauthorized modifications by checking creation and modification timestamps
- Audit access logs for schedule-related API calls from unexpected user accounts or organizations
- Implement network segmentation to limit Dokploy administrative interfaces to authorized administrative hosts only
- Review and enforce principle of least privilege for all Dokploy user accounts
- Monitor for anomalous script execution or file modifications on Dokploy hosts and managed servers
Evidence notes
The vulnerability was disclosed via GitHub Security Advisory GHSA-7wmr-57mg-h5q6 and indexed by NVD. The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields a base score of 9.9 (Critical). CWE classifications include CWE-78 (OS Command Injection), CWE-269 (Improper Privilege Management), and CWE-862 (Missing Authorization). The vulnerability affects Dokploy versions 0.26.7 and earlier.
Official resources
-
CVE-2026-45632 CVE record
CVE.org
-
CVE-2026-45632 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-29