External risk intelligence

Dokploy Organization Checks Bypass Leading to Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-45632

Dokploy contains a flaw where its schedule router fails to enforce organization and role checks, allowing authenticated users to manipulate schedules outside their own organization. This can lead to unauthorized script execution on servers, enabling remote code execution and posing a significant business risk.

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-45632

Dokploy is a self-hostable Platform as a Service (PaaS) designed to manage deployments and servers. As a management platform, it is commonly deployed as an internet-facing administrative interface to facilitate remote infrastructure control and application deployment.

Horizon Alert

Summary of the vulnerability and why it matters

Dokploy, a self-hostable Platform as a Service, contains a flaw where its schedule router fails to enforce organization and role checks. This allows any authenticated user to manipulate schedules outside their own organization if they know specific identifiers. This could lead to unauthorized script execution on the Dokploy host or target servers, potentially enabling remote code execution.

Vulnerable: Dokploy schedule router
Weakness: Missing organization/role checks
Impact: Remote code execution on servers

Attack Path

How an attacker could exploit the issue

An authenticated user can exploit a vulnerability in Dokploy to gain control over other organizations' schedules and scripts. This occurs when the schedule router fails to enforce proper organization and role checks, allowing any authenticated user to manipulate schedules if they know the schedule ID. The attacker can then leverage schedule types that write and execute scripts on host or remote servers, leading to remote code execution. This compromise can impact affected organizations by allowing unauthorized access and control over their infrastructure, potentially leading to data breaches or system disruption.

Unauthenticated access to schedule IDs.
Authenticated user creates, updates, or runs schedules.
Attacker achieves remote code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Dokploy could allow an authenticated user to execute commands on affected systems by manipulating schedule configurations. Attackers could potentially gain control of servers, access sensitive data, or disrupt operations. The remote code execution capability presents a significant risk to business operations.

Likely attacker skill level: Low
Required access or conditions: Authenticated user
Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows authenticated users to perform unauthorized actions on schedules belonging to other organizations within Dokploy. If the affected schedule types are used, this could lead to remote code execution on Dokploy hosts or target servers, posing a significant business risk. The business impact includes potential compromise of infrastructure and sensitive data.

Identify all Dokploy instances and affected schedules.
Restrict access to sensitive schedules.
Apply vendor updates and validate.
Monitor for related activity.

Frequently asked questions

What is Dokploy and what is its primary function?

Dokploy is a free, self-hostable Platform as a Service (PaaS) that users can deploy on their own servers. Its main purpose is to facilitate the management of application deployments and provide control over server infrastructure.

What is the core weakness in CVE-2026-45632 and its classification?

The weakness in CVE-2026-45632 is a missing organization and role check within Dokploy's schedule router. This is classified as an authorization bypass (CWE-862) and can also lead to OS command injection (CWE-78) due to the potential for unauthorized command execution.

How can an authenticated attacker exploit the Dokploy vulnerability?

An authenticated attacker can exploit this vulnerability by knowing a schedule ID or server ID to create, update, run, or delete schedules belonging to organizations other than their own. This is possible because the schedule router does not enforce proper checks.

What is the potential impact of exploiting this Dokploy vulnerability?

Exploiting this Dokploy vulnerability can lead to remote code execution (RCE) on the Dokploy host or on target servers. This is because certain schedule types are designed to write and execute scripts on these servers, allowing an attacker to gain unauthorized control.

What are the recommended steps to mitigate the Dokploy schedule router vulnerability?

To mitigate this vulnerability, organizations should identify all Dokploy instances and affected schedules. It is advisable to restrict access to sensitive schedules, promptly apply vendor updates when available, and validate that the updates have been successfully implemented. Continuous monitoring for related suspicious activity is also recommended.

References

github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.