CVE-2026-45632 Overview
CVE-2026-45632 is a missing authorization vulnerability in Dokploy, a free self-hostable Platform as a Service (PaaS). The schedule router in versions 0.26.7 and earlier fails to enforce organization and role checks on incoming requests. Any authenticated user who knows or guesses a valid scheduleId or serverId can create, update, run, or delete schedules across organization boundaries. Because the server and dokploy-server schedule types write and execute scripts on the host or remote servers, exploitation results in remote code execution (RCE) on the Dokploy host or any managed target server. The flaw is classified under [CWE-78] for OS Command Injection through unauthorized script execution.
Critical Impact
A low-privileged authenticated user can achieve RCE on the Dokploy control plane and managed servers, leading to full multi-tenant compromise.
Affected Products
- Dokploy versions 0.26.7 and earlier
- Dokploy self-hosted PaaS deployments
- Dokploy-managed remote servers configured as schedule targets
Discovery Timeline
- 2026-05-29 - CVE-2026-45632 published to the National Vulnerability Database (NVD)
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-45632
Vulnerability Analysis
Dokploy exposes a schedule router that manages recurring tasks across tenant organizations. The router accepts requests referencing schedules by scheduleId and servers by serverId, but it omits the authorization layer that verifies the caller belongs to the owning organization or holds the required role. The schedule subsystem supports multiple types, including server and dokploy-server, which materialize the schedule body as a shell script and execute it on the Dokploy host or a remote target. Combined, these two conditions transform a multi-tenant PaaS into a shared execution surface where any authenticated tenant can pivot into other tenants.
Root Cause
The root cause is broken access control in the schedule router. Endpoints that mutate or execute schedules rely only on the presence of a valid session, not on object-level authorization tying the schedule or server to the caller's organization. This is a classic insecure direct object reference paired with a privileged sink, where the sink is shell execution on the host operating system.
Attack Vector
An attacker registers or uses any authenticated account on the target Dokploy instance. The attacker enumerates or guesses a scheduleId or serverId belonging to another organization, or creates a new schedule of type server or dokploy-server that targets an unauthorized server. Submitting the schedule causes Dokploy to write the attacker-controlled script content to disk and execute it under the privileges of the Dokploy worker. This yields command execution on the Dokploy host or the selected remote server, with scope escalation across every tenant on the platform. See the GitHub Security Advisory GHSA-7wmr-57mg-h5q6 for additional technical context.
Detection Methods for CVE-2026-45632
Indicators of Compromise
- Schedule creation or modification events where the requesting user's organization does not match the schedule's owning organization.
- Execution logs showing schedules of type server or dokploy-server running unexpected shell commands or outbound network connections.
- New cron entries, systemd units, or temporary script files written by the Dokploy process outside normal deployment workflows.
- Outbound connections from Dokploy hosts or managed servers to attacker-controlled infrastructure shortly after schedule invocations.
Detection Strategies
- Audit the Dokploy application database for schedules whose organizationId does not align with their associated project or server owner.
- Correlate API access logs for the schedule router endpoints with the authenticated user's organization membership and flag mismatches.
- Monitor child processes spawned by the Dokploy runtime for shell interpreters such as bash, sh, or python invoking unusual binaries.
Monitoring Recommendations
- Enable verbose audit logging on the schedule router and forward events to a centralized SIEM for cross-tenant analysis.
- Baseline normal schedule frequency per organization and alert on bursts of schedule creation or execution from a single user.
- Track filesystem writes to schedule script directories and alert on writes originating from low-privileged user sessions.
How to Mitigate CVE-2026-45632
Immediate Actions Required
- Upgrade Dokploy to a version later than 0.26.7 that includes the schedule router authorization fix referenced in the vendor advisory.
- Restrict network exposure of the Dokploy management interface to trusted administrative networks or VPN segments only.
- Rotate credentials, API tokens, and SSH keys used by Dokploy to manage remote servers, since RCE may have exposed them.
- Review existing schedules and delete any of type server or dokploy-server that cannot be attributed to a legitimate owner.
Patch Information
The maintainers addressed the issue in a release following 0.26.7. Refer to the Dokploy GitHub Security Advisory GHSA-7wmr-57mg-h5q6 for the fixed version and patch commit details. Apply the upgrade across all Dokploy control planes and validate that managed servers are reconnected with rotated credentials.
Workarounds
- Disable user self-registration and limit accounts to a small set of trusted administrators until the patch is applied.
- Temporarily remove or disable schedules of type server and dokploy-server to eliminate the script execution sink.
- Place the Dokploy instance behind an authenticating reverse proxy that enforces additional identity checks on schedule router routes.
# Configuration example: restrict Dokploy admin UI to a management CIDR via nginx
location /api/trpc/schedules {
allow 10.10.0.0/24; # management subnet
deny all;
proxy_pass http://127.0.0.1:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
