Compliance Impact

This vulnerability allows unauthenticated attackers to gain full administrative control over the Dokploy platform, including access to hosted applications, databases, secrets, SSH keys, and registry credentials.

Such unauthorized access and potential data breaches could lead to violations of common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data.

The ability to execute commands on the host and access sensitive information increases the risk of data exposure, unauthorized data modification, and loss of data integrity, all of which are critical compliance concerns.

Therefore, this vulnerability poses a significant risk to compliance with data protection regulations by undermining the confidentiality, integrity, and availability of protected data.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45631 is a critical vulnerability in Dokploy versions 0.27.0 to before 0.29.3 caused by a hardcoded fallback authentication secret "better-auth-secret-123456789". This secret allows an unauthenticated attacker to forge email verification JWT tokens, bypass email verification checks, and trigger automatic sign-in as an admin user.

Because the install script never sets a unique environment variable for this secret, all default self-hosted Dokploy instances share the same weak signing key. This flaw enables attackers to gain full admin control without any privileges or user interaction.

Once signed in as admin, the attacker can access the built-in SSH terminal and execute arbitrary commands on the host system, leading to remote code execution and full control over hosted applications, databases, secrets, SSH keys, and registry credentials.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including complete compromise of the Dokploy host system. An attacker can gain full administrative access without authentication, allowing them to execute arbitrary commands on the host via the SSH terminal.

• Full control over all hosted applications and databases.
• Access to sensitive secrets, SSH keys, and registry credentials.
• Potential for remote code execution leading to data breaches, service disruption, or further network compromise.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Dokploy installation is running a vulnerable version between 0.27.0 and before 0.29.3 and if it uses the hardcoded fallback secret "better-auth-secret-123456789" for authentication.

You can verify the Dokploy version by running a command like:

• dokploy --version

To detect if the hardcoded secret is in use, inspect the environment variables or configuration files for the presence or absence of a custom BETTER_AUTH_SECRET. For example, you can check environment variables with:

• printenv | grep BETTER_AUTH_SECRET

If the environment variable is not set, the system likely falls back to the hardcoded secret, making it vulnerable.

Additionally, monitoring for suspicious JWT tokens forged with the known secret or unexpected admin logins without proper email verification could indicate exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Dokploy to version 0.29.3 or later, where the hardcoded fallback secret has been removed and replaced with secure secret management.

If upgrading immediately is not possible, you should set a unique BETTER_AUTH_SECRET environment variable or Docker secret to override the hardcoded fallback secret, preventing attackers from exploiting the default secret.

Additionally, review and rotate any potentially compromised credentials, SSH keys, and secrets, as the vulnerability allows remote code execution and full admin control.

Follow the updated installation and migration procedures provided in the fix, including running migration scripts to re-encrypt existing 2FA TOTP secrets to avoid authentication breakage.

Useful 0 Not Useful 0