Siumauricio

**Name of the Vulnerable Software and Affected Versions** Dokploy versions prior to 0.19.1 **Description** The `protectedProcedure` middleware only verifies user authentication but fails to enforce organization scoping. This leads to an Insecure Direct Object Reference (IDOR), where endpoints do not verify if the resource's organization matches the session's `activeOrganizationId`. Affected endpoints include: - In deployment.ts: 'allByType', 'killProcess', and 'removeDeployment' - In rollbacks.ts: 'delete' - In backup.ts: 'create', 'one', 'update', 'remove', 'manualBackupPostgres', 'MySql', 'Mariadb', 'Mongo', 'Compose', 'WebServer', and 'listBackupFiles' - In volume-backups.ts: 'list', 'one', 'delete', 'update', 'runManually', and 'restoreVolumeBackupWithLogs' - In cluster.ts: 'getNodes', 'removeWorker', 'addWorker', and 'addManager' - In mount.ts: 'create' **Recommendations** Update to a version later than 0.19.0.