What is the CVSS score of EUVD-2026-33354?

EUVD-2026-33354 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Dokploy are affected by EUVD-2026-33354?

Dokploy deployment platform versions 0.26.7 and earlier contain a critical authorization bypass allowing any user with valid credentials to execute arbitrary code on other customers' production…

How to fix or mitigate EUVD-2026-33354?

Within 24 hours: Audit all Dokploy instances to determine versions in use; restrict user access to essential personnel only; enable audit logging on scheduled task creation and modification. Within 7 days: Confirm vendor patch timeline and commit to upgrade schedule; implement network segmentation if multi-tenant deployment; document all current Dokploy user accounts. Within 30 days: Deploy patched version immediately upon release; forensically review all scheduled task execution logs for unauthorized modifications; validate remediation across all instances.

Dokploy EUVD-2026-33354

| CVE-2026-45632 CRITICAL

OS Command Injection (CWE-78)

2026-05-29 GitHub_M

Command Injection Dokploy

9.9

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 29, 2026 - 17:53 vuln.today

DescriptionGitHub Advisory

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.

AnalysisAI

Cross-tenant remote code execution in Dokploy 0.26.7 and earlier allows any authenticated user to hijack scheduled tasks belonging to other organizations and execute arbitrary scripts on the Dokploy host or managed remote servers. The schedule router fails to enforce organization and role authorization, so knowledge of a scheduleId/serverId is sufficient to create, modify, or trigger server-type schedules that run attacker-controlled shell commands. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-privileged Dokploy account

Delivery

Enumerate cross-tenant scheduleId/serverId

Exploit

Create or modify server-type schedule with malicious script

Execution

Trigger schedule run via API

Persist

Shell command executes on Dokploy host or remote server

Impact

RCE and cross-tenant compromise

Access

Obtain low-privileged Dokploy account

Delivery

Enumerate cross-tenant scheduleId/serverId

Exploit

Create or modify server-type schedule with malicious script

Execution

Trigger schedule run via API

Persist

Shell command executes on Dokploy host or remote server

Impact

RCE and cross-tenant compromise

Vulnerability AssessmentAI

Exploitation	Attacker must hold any authenticated Dokploy account on the target instance (CVSS PR:L) and must know or guess a scheduleId or serverId - including IDs belonging to other organizations, since the schedule router performs no organization or role check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.9 score with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H is consistent with the description: network-reachable API, low complexity, low-privileged authenticated attacker, scope change (one tenant's identity compromising another tenant's host), and full CIA impact via RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers or already possesses a low-privileged account on a shared Dokploy instance, enumerates or guesses scheduleId/serverId values belonging to another organization (or simply creates a new schedule targeting another org's serverId), and submits a 'server' or 'dokploy-server' schedule whose script body contains attacker-controlled shell commands. They then invoke the run endpoint for that schedule, causing Dokploy to execute the payload on the Dokploy host or the victim organization's remote server, achieving RCE under the privileges of the Dokploy execution context. …
Remediation	Patch available per vendor advisory GHSA-7wmr-57mg-h5q6 (https://github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6); administrators should upgrade Dokploy to the fixed release referenced there as soon as possible since the input does not include an independently confirmed exact fix version number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Dokploy instances to determine versions in use; restrict user access to essential personnel only; enable audit logging on scheduled task creation and modification. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-33354 vulnerability details – vuln.today

Back

Dokploy EUVD-2026-33354

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code