What is the CVSS score of CVE-2026-45631?

CVE-2026-45631 has a CVSS 3.1 base score of 10.0 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Dokploy are affected by CVE-2026-45631?

Dokploy versions 0.27.0-0.29.2 expose a critical authentication bypass allowing any unauthenticated attacker to execute arbitrary commands on production hosts.. A patch is available.

How to fix or mitigate CVE-2026-45631?

24 hours: Identify all Dokploy instances in production and confirm versions; restrict network access to Dokploy management interfaces to trusted internal networks only via firewall rules; review access logs for suspicious activity and failed authentication attempts. 7 days: Monitor vendor for patch release to 0.29.3 or later and plan upgrade; if no patched version available by day 7, disable or isolate the SSH terminal API endpoint; immediately rotate all admin credentials and API keys. 30 days: Deploy patched Dokploy version to all instances; conduct full forensic audit of access logs and system command history across all affected deployments; implement persistent network segmentation isolating deployment management access; establish continuous monitoring for SSH terminal and authentication bypass attempts.

Dokploy CVE-2026-45631

EUVD-2026-33355 CRITICAL

Use of Hard-coded Credentials (CWE-798)

2026-05-29 GitHub_M

Authentication Bypass Dokploy

10.0

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

10.0 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 29, 2026 - 19:01 EUVD

Source Code Evidence Fetched

May 29, 2026 - 17:53 vuln.today

Analysis Generated

May 29, 2026 - 17:53 vuln.today

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

AnalysisAI

Remote code execution in Dokploy 0.27.0 through 0.29.2 allows unauthenticated attackers to forge email-verification JWTs using a hardcoded BETTER_AUTH_SECRET fallback ('better-auth-secret-123456789'), auto-sign-in as admin, and run arbitrary commands on the host through the built-in SSH terminal. The flaw carries a CVSS 10.0 score with network attack vector and no required privileges, and while no public exploit is identified at time of analysis, the trivially guessable secret makes weaponization straightforward.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed Dokploy instance

Delivery

Forge email-verification JWT with hardcoded secret

Exploit

Submit token to trigger auto-sign-in as admin

Execution

Open built-in browser SSH terminal

Persist

Execute arbitrary commands on host

Impact

Pivot to deployed apps and persist

Access

Discover exposed Dokploy instance

Delivery

Forge email-verification JWT with hardcoded secret

Exploit

Submit token to trigger auto-sign-in as admin

Execution

Open built-in browser SSH terminal

Persist

Execute arbitrary commands on host

Impact

Pivot to deployed apps and persist

Vulnerability AssessmentAI

Exploitation	Required: network reachability to a Dokploy 0.27.0-0.29.2 web interface where the operator did NOT override the default BETTER_AUTH_SECRET environment variable (the hardcoded fallback 'better-auth-secret-123456789' must be active). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	All available signals point to maximum priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker scans the internet for exposed Dokploy login pages, identifies a target running 0.27.0-0.29.2, and uses the publicly known 'better-auth-secret-123456789' to sign a forged email-verification JWT for a chosen email address. Submitting the forged token to Dokploy's verification endpoint triggers the auto-sign-in flow as an admin, after which the attacker opens the built-in browser-based SSH terminal and executes arbitrary shell commands on the host - pivoting into deployed containers, stealing application secrets, and persisting via cron or SSH key implantation.
Remediation	Upgrade immediately to Dokploy 0.29.3 or later, which is the vendor-released patch per the GitHub Security Advisory GHSA-w3gm-rc4p-9rhj (https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Dokploy instances in production and confirm versions; restrict network access to Dokploy management interfaces to trusted internal networks only via firewall rules; review access logs for suspicious activity and failed authentication attempts. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-45631 vulnerability details – vuln.today

Back

Dokploy CVE-2026-45631

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code