CVE-2026-45631 | Dokploy is a free, self-hostable Platform as a Service (PaaS… | CVSS 10.0 CRITICAL

Description

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

Metadata

CVE ID: CVE-2026-45631
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-12 20:31 UTC
Published: 2026-05-29 16:13 UTC
Last updated: 2026-06-01 15:23 UTC
Primary CWE: CWE-798
CWE-798: Use of Hard-coded Credentials
Vendor / Product: Dokploy / dokploy
Sources: cve.org · NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Dokploy	dokploy	—	>= 0.27.0, < 0.29.3

Weakness (CWE)

CWE	Source	Description
CWE-798	cna	CWE-798: Use of Hard-coded Credentials

CVSS scores (1)

Score	Severity	Version	Source	Vector
10.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (2)

https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj
https://github.com/Dokploy/dokploy/pull/4374 https://github.com/Dokploy/dokploy/pull/4374