CVE-2026-45632
Deferred Deferred - Pending Action
Authenticated Schedule Manipulation in Dokploy Enables RCE

Publication date: 2026-05-29

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-06-02
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45632
EUVD
EUVD-2026-33354
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dokploy dokploy to 0.26.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45632 is a critical vulnerability in Dokploy versions up to 0.26.7 where the schedule router does not enforce organization or role-based access controls.

This flaw allows any authenticated user who knows a scheduleId or serverId to create, update, run, or delete schedules belonging to other organizations.

The schedules of type "server" and "dokploy-server" write and execute scripts on the host or remote servers, enabling remote code execution (RCE).

An attacker can exploit this by creating a malicious schedule with a script payload and executing it immediately, gaining full control over the Dokploy host or remote servers.

Impact Analysis

This vulnerability can have severe impacts including unauthorized remote code execution on the Dokploy host or connected remote servers.

An attacker can gain full control over affected systems, compromising confidentiality, integrity, and availability of data and services.

Because the vulnerability allows bypassing authorization checks, attackers can manipulate schedules across organizations, potentially disrupting operations or deploying malicious code.

Detection Guidance

Detection of this vulnerability involves identifying unauthorized schedule creation, updates, execution, or deletion by authenticated users across organizations. Since the vulnerability allows any authenticated user to manipulate schedules if they know scheduleId or serverId, monitoring API calls related to schedule management can help detect exploitation attempts.

Specifically, you can look for unusual API requests that create or run schedules with the "server" or "dokploy-server" types, as these execute scripts on hosts or remote servers.

While no explicit commands are provided in the resources, general detection steps include:

  • Monitor API logs for schedule creation, update, run, or delete actions by users outside their organization.
  • Check for execution of scripts or commands on the Dokploy host or remote servers triggered by schedules.
  • Audit authentication logs for suspicious activity involving scheduleId or serverId usage.
Mitigation Strategies

Immediate mitigation steps include enforcing organization and role-based authorization checks on the schedule router and service layer to prevent unauthorized access.

Restrict the ability to create or run schedules of type "server" and "dokploy-server" to privileged users only.

Validate scheduleId and serverId against the active organization to ensure users cannot access schedules outside their organization.

Additionally, review and update Dokploy to a version later than v0.26.7 where these fixes are applied.

Compliance Impact

CVE-2026-45632 allows unauthorized users to bypass authorization checks and execute arbitrary commands on the host or remote servers, leading to full control over sensitive systems.

This critical security flaw impacts confidentiality, integrity, and availability of data and systems, which are core principles in standards such as GDPR and HIPAA.

Failure to enforce proper access controls and privilege management can result in unauthorized data access or manipulation, potentially causing non-compliance with regulations that mandate strict data protection and access controls.

Therefore, organizations using affected versions of Dokploy may face increased risk of regulatory violations due to this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45632. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart