PT-2026-44929 · Dokploy · Dokploy
Siumauricio
·
Published
2026-05-29
·
Updated
2026-05-29
·
CVE-2026-43917
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Dokploy versions prior to 0.19.1
Description
The
protectedProcedure middleware only verifies user authentication but fails to enforce organization scoping. This leads to an Insecure Direct Object Reference (IDOR), where endpoints do not verify if the resource's organization matches the session's activeOrganizationId. Affected endpoints include:- In deployment.ts: 'allByType', 'killProcess', and 'removeDeployment'
- In rollbacks.ts: 'delete'
- In backup.ts: 'create', 'one', 'update', 'remove', 'manualBackupPostgres', 'MySql', 'Mariadb', 'Mongo', 'Compose', 'WebServer', and 'listBackupFiles'
- In volume-backups.ts: 'list', 'one', 'delete', 'update', 'runManually', and 'restoreVolumeBackupWithLogs'
- In cluster.ts: 'getNodes', 'removeWorker', 'addWorker', and 'addManager'
- In mount.ts: 'create'
Recommendations
Update to a version later than 0.19.0.
Exploit
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Dokploy