CVE-2026-45631 Overview
CVE-2026-45631 is a hardcoded credential vulnerability in Dokploy, a free, self-hostable Platform as a Service (PaaS). Versions from 0.27.0 to before 0.29.3 ship with a hardcoded BETTER_AUTH_SECRET fallback value of better-auth-secret-123456789. An unauthenticated attacker who knows this secret can forge email verification JSON Web Tokens (JWTs), trigger an auto-sign-in as the administrator, and then execute arbitrary commands on the host through the built-in SSH terminal. The flaw is tracked as [CWE-798: Use of Hard-coded Credentials]. Dokploy resolved the issue in version 0.29.3.
Critical Impact
An unauthenticated network attacker can forge authentication tokens, sign in as admin, and execute arbitrary commands on the underlying host, resulting in full compromise of the Dokploy server.
Affected Products
- Dokploy 0.27.0 through versions prior to 0.29.3
- Self-hosted Dokploy deployments relying on the default BETTER_AUTH_SECRET
- Dokploy-managed hosts exposing the built-in SSH terminal feature
Discovery Timeline
- 2026-05-29 - CVE-2026-45631 published to the National Vulnerability Database (NVD)
- 2026-06-01 - Last updated in the NVD database
Technical Details for CVE-2026-45631
Vulnerability Analysis
Dokploy uses the better-auth library to issue and validate session and verification tokens. When the BETTER_AUTH_SECRET environment variable is not explicitly set, the application falls back to a hardcoded string, better-auth-secret-123456789. Because this fallback is embedded in source code, any attacker can reproduce it and sign JWTs that the server treats as authentic.
The attacker forges an email verification JWT for the administrator account. Dokploy's verification flow accepts the token, marks the email as verified, and triggers an auto-sign-in. The attacker now holds an admin session.
The Dokploy console exposes a built-in SSH terminal for managing the host and deployed services. With administrator privileges, the attacker uses this terminal to run arbitrary shell commands, achieving remote code execution on the underlying server.
Root Cause
The root cause is the inclusion of a hardcoded secret as a fallback value in the authentication configuration. Secrets used to sign JWTs must be unique, high-entropy, and never present in source code. Shipping a default string allows any reader of the repository to derive a working signing key for every vulnerable deployment.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker reaches the Dokploy authentication endpoint over HTTP(S), submits a forged email verification JWT signed with the known fallback secret, and receives an authenticated admin session in response. The attacker then issues commands through the built-in SSH terminal endpoint. Because privilege boundaries are crossed from unauthenticated network user to administrator on the host, the scope of impact extends beyond the application to the operating system.
No public proof-of-concept code is referenced in the advisory. Technical details are available in the GitHub Security Advisory GHSA-w3gm-rc4p-9rhj and the remediation pull request.
Detection Methods for CVE-2026-45631
Indicators of Compromise
- Unexpected successful email verification events for administrator accounts followed by immediate session creation from unfamiliar IP addresses.
- New or unexpected SSH terminal sessions initiated from the Dokploy web UI shortly after an authentication event.
- Outbound network connections, file writes, or new processes spawned by the Dokploy service account that do not match deployment activity.
- Presence of the literal string better-auth-secret-123456789 in the running configuration or environment of any Dokploy instance.
Detection Strategies
- Inspect Dokploy application logs for verification token submissions that succeed without a preceding user-initiated registration or password reset.
- Correlate admin login events with the source IP and user-agent baseline; flag deviations.
- Monitor for shell commands executed under the Dokploy host process tree, particularly commands that download tooling, modify cron, or alter SSH keys.
Monitoring Recommendations
- Enable centralized logging of authentication, session creation, and terminal command events from Dokploy to a SIEM or data lake.
- Alert on any process spawned by Dokploy that invokes curl, wget, bash -i, nc, or interpreter shells.
- Track configuration drift on the BETTER_AUTH_SECRET value across all environments to confirm it is non-default and rotated.
How to Mitigate CVE-2026-45631
Immediate Actions Required
- Upgrade Dokploy to version 0.29.3 or later on every host without delay.
- Set BETTER_AUTH_SECRET to a unique, cryptographically random value of at least 32 bytes and restart the service.
- Invalidate all existing sessions and verification tokens, then force password resets for administrator accounts.
- Audit the host for unauthorized SSH keys, cron jobs, new users, and outbound connections established since 0.27.0 was deployed.
Patch Information
The vulnerability is fixed in Dokploy 0.29.3. The fix removes the hardcoded fallback and requires operators to supply an explicit BETTER_AUTH_SECRET. Review the upstream pull request #4374 and the GitHub Security Advisory GHSA-w3gm-rc4p-9rhj for the full code change and upgrade guidance.
Workarounds
- If immediate upgrade is not possible, explicitly set a strong, random BETTER_AUTH_SECRET in the environment so the hardcoded fallback is never used.
- Restrict network exposure of the Dokploy management UI to trusted administrative networks or a VPN until the patch is applied.
- Disable or firewall the built-in SSH terminal endpoint to limit post-authentication command execution paths.
# Configuration example: set a strong BETTER_AUTH_SECRET before starting Dokploy
export BETTER_AUTH_SECRET="$(openssl rand -hex 32)"
# Persist across reboots (systemd drop-in)
sudo mkdir -p /etc/systemd/system/dokploy.service.d
cat <<EOF | sudo tee /etc/systemd/system/dokploy.service.d/override.conf
[Service]
Environment="BETTER_AUTH_SECRET=$(openssl rand -hex 32)"
EOF
sudo systemctl daemon-reload
sudo systemctl restart dokploy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
