CVE-2026-45632
Authenticated Schedule Manipulation in Dokploy Enables RCE
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dokploy | dokploy | to 0.26.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45632 is a critical vulnerability in Dokploy versions up to 0.26.7 where the schedule router does not enforce organization or role-based access controls.
This flaw allows any authenticated user who knows a scheduleId or serverId to create, update, run, or delete schedules belonging to other organizations.
The schedules of type "server" and "dokploy-server" write and execute scripts on the host or remote servers, enabling remote code execution (RCE).
An attacker can exploit this by creating a malicious schedule with a script payload and executing it immediately, gaining full control over the Dokploy host or remote servers.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote code execution on the Dokploy host or connected remote servers.
An attacker can gain full control over affected systems, compromising confidentiality, integrity, and availability of data and services.
Because the vulnerability allows bypassing authorization checks, attackers can manipulate schedules across organizations, potentially disrupting operations or deploying malicious code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying unauthorized schedule creation, updates, execution, or deletion by authenticated users across organizations. Since the vulnerability allows any authenticated user to manipulate schedules if they know scheduleId or serverId, monitoring API calls related to schedule management can help detect exploitation attempts.
Specifically, you can look for unusual API requests that create or run schedules with the "server" or "dokploy-server" types, as these execute scripts on hosts or remote servers.
While no explicit commands are provided in the resources, general detection steps include:
- Monitor API logs for schedule creation, update, run, or delete actions by users outside their organization.
- Check for execution of scripts or commands on the Dokploy host or remote servers triggered by schedules.
- Audit authentication logs for suspicious activity involving scheduleId or serverId usage.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include enforcing organization and role-based authorization checks on the schedule router and service layer to prevent unauthorized access.
Restrict the ability to create or run schedules of type "server" and "dokploy-server" to privileged users only.
Validate scheduleId and serverId against the active organization to ensure users cannot access schedules outside their organization.
Additionally, review and update Dokploy to a version later than v0.26.7 where these fixes are applied.