PT-2026-44929 · Dokploy · Dokploy

Siumauricio

·

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-43917

CVSS v4.0

5.3

Medium

VectorAV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Dokploy versions prior to 0.19.1
Description The protectedProcedure middleware only verifies user authentication but fails to enforce organization scoping. This leads to an Insecure Direct Object Reference (IDOR), where endpoints do not verify if the resource's organization matches the session's activeOrganizationId. Affected endpoints include:
  • In deployment.ts: 'allByType', 'killProcess', and 'removeDeployment'
  • In rollbacks.ts: 'delete'
  • In backup.ts: 'create', 'one', 'update', 'remove', 'manualBackupPostgres', 'MySql', 'Mariadb', 'Mongo', 'Compose', 'WebServer', and 'listBackupFiles'
  • In volume-backups.ts: 'list', 'one', 'delete', 'update', 'runManually', and 'restoreVolumeBackupWithLogs'
  • In cluster.ts: 'getNodes', 'removeWorker', 'addWorker', and 'addManager'
  • In mount.ts: 'create'
Recommendations Update to a version later than 0.19.0.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-43917
GHSA-F8WJ-5C4W-FRHG

Affected Products

Dokploy