CVE-2026-45631

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER AUTH SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

Fix

Using Hardcoded Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-798

Related Identifiers

CVE-2026-45631

Affected Products

Dokploy

CVE-2026-45631

Weakness Enumeration

Related Identifiers

Affected Products

References · 3