Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.
The application contains a hardcoded, immutable fallback secret BETTER_AUTH_SECRET with the value 'better-auth-secret-123456789', used to sign JWT tokens for email verification. An attacker knowing this value can independently forge a valid JWT, trigger the automatic login mechanism with administrator privileges, and then use the built-in SSH terminal to execute arbitrary commands directly on the host server. The entire attack requires no credentials or user interaction.
Attacker gains full control over the host — can execute arbitrary system commands, read and modify data, and potentially compromise the entire infrastructure managed by the platform.
Dokploy must be immediately updated to version 0.29.3 or later, in which the vulnerability has been patched. After updating, it is also recommended to invalidate all active administrative sessions and reset the BETTER_AUTH_SECRET to a unique, random value.
Dokploy versions 0.27.0 to 0.29.2 (before 0.29.3) running in self-hosted mode.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H