CVE-2026-45631
Hardcoded Secret in Dokploy Allows Admin Command Execution
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45631 is a critical vulnerability in Dokploy versions 0.27.0 to before 0.29.3 caused by a hardcoded fallback authentication secret "better-auth-secret-123456789". This secret allows an unauthenticated attacker to forge email verification JWT tokens, bypass email verification checks, and trigger automatic sign-in as an admin user.
Because the install script never sets a unique environment variable for this secret, all default self-hosted Dokploy instances share the same weak signing key. This flaw enables attackers to gain full admin control without any privileges or user interaction.
Once signed in as admin, the attacker can access the built-in SSH terminal and execute arbitrary commands on the host system, leading to remote code execution and full control over hosted applications, databases, secrets, SSH keys, and registry credentials.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including complete compromise of the Dokploy host system. An attacker can gain full administrative access without authentication, allowing them to execute arbitrary commands on the host via the SSH terminal.
- Full control over all hosted applications and databases.
- Access to sensitive secrets, SSH keys, and registry credentials.
- Potential for remote code execution leading to data breaches, service disruption, or further network compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Dokploy installation is running a vulnerable version between 0.27.0 and before 0.29.3 and if it uses the hardcoded fallback secret "better-auth-secret-123456789" for authentication.
You can verify the Dokploy version by running a command like:
- dokploy --version
To detect if the hardcoded secret is in use, inspect the environment variables or configuration files for the presence or absence of a custom BETTER_AUTH_SECRET. For example, you can check environment variables with:
- printenv | grep BETTER_AUTH_SECRET
If the environment variable is not set, the system likely falls back to the hardcoded secret, making it vulnerable.
Additionally, monitoring for suspicious JWT tokens forged with the known secret or unexpected admin logins without proper email verification could indicate exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Dokploy to version 0.29.3 or later, where the hardcoded fallback secret has been removed and replaced with secure secret management.
If upgrading immediately is not possible, you should set a unique BETTER_AUTH_SECRET environment variable or Docker secret to override the hardcoded fallback secret, preventing attackers from exploiting the default secret.
Additionally, review and rotate any potentially compromised credentials, SSH keys, and secrets, as the vulnerability allows remote code execution and full admin control.
Follow the updated installation and migration procedures provided in the fix, including running migration scripts to re-encrypt existing 2FA TOTP secrets to avoid authentication breakage.