CRITICAL🇵🇱 Wersja polska

CVE-2026-45631

CVSS 10.0v3.1pub. 2026-05-29upd. 2026-06-01

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

🤖 AI Analysis
How it works

The application contains a hardcoded, immutable fallback secret BETTER_AUTH_SECRET with the value 'better-auth-secret-123456789', used to sign JWT tokens for email verification. An attacker knowing this value can independently forge a valid JWT, trigger the automatic login mechanism with administrator privileges, and then use the built-in SSH terminal to execute arbitrary commands directly on the host server. The entire attack requires no credentials or user interaction.

Impact

Attacker gains full control over the host — can execute arbitrary system commands, read and modify data, and potentially compromise the entire infrastructure managed by the platform.

Mitigation & patch

Dokploy must be immediately updated to version 0.29.3 or later, in which the vulnerability has been patched. After updating, it is also recommended to invalidate all active administrative sessions and reset the BETTER_AUTH_SECRET to a unique, random value.

Who is affected

Dokploy versions 0.27.0 to 0.29.2 (before 0.29.3) running in self-hosted mode.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References