Critical Security Flaw in Dokploy: Authentication Bypass (CVE-2026-45631)
dokploy authentication-bypass cve-2026-45631 security self-hosting
trending_up Trend: dokploy

Critical Security Flaw in Dokploy: Authentication Bypass (CVE-2026-45631)

calendar_month June 4, 2026 update Updated: June 8, 2026

🔄 Update — 08. June 2026: Details and Patches Released for Critical Vulnerabilities (CVE-2026-45631)

Details regarding the critical authentication bypass in the self-hostable PaaS Dokploy (CVE-2026-45631) have been made public, revealing a hardcoded secret fallback. In addition, other security vulnerabilities such as CVE-2026-45633 and CVE-2026-45630 have also been identified and addressed.

Was ist neu? / What’s new?

  • Critical Admin Takeover (CVE-2026-45631): A hardcoded fallback for BETTER_AUTH_SECRET (“better-auth-secret-123456789”) allows unauthenticated remote attackers to forge administrator sessions and gain complete administrative control of the server. Affected versions are 0.27.0 to before 0.29.3.
  • Additional Vulnerabilities Patched: The patches also resolve CVE-2026-45633 (command injection in the logs endpoint) and CVE-2026-45630 (OS command injection).
  • Security Update Available: These vulnerabilities are fixed in Dokploy version 0.29.3 (via PR #4374). Self-hosted Dokploy users are urged to immediately update to version 0.29.3 or higher.

Warum es den Artikel ergänzt / Why this adds to the article

This update provides essential technical details regarding the hardcoded secret exploit and points users to the official 0.29.3 patch to secure their environments.

Summary

A critical security vulnerability (CVE-2026-45631) in Dokploy allows attackers to bypass authentication and gain unauthorized access to the deployment dashboard.

What happened?

An authentication bypass vulnerability, identified as CVE-2026-45631, has been discovered in Dokploy. This flaw enables third parties to circumvent security controls and potentially take full control of the deployed infrastructure.

Why it matters

Dokploy is widely used for managing deployments. Unauthorized access to the dashboard not only compromises the integrity of applications but can also lead to the theft of sensitive data or the manipulation of production environments.

Evidence

Security practitioners on LinkedIn (e.g., NextGuard HQ) have reported on the vulnerability and warned of the risks. The vulnerability is classified as critical.

Analysis

The flaw appears to reside in Dokploy’s authentication mechanism. Without appropriate patches, attackers can skip login pages or access administrative functions without valid credentials.

Practical Takeaways

  • Dokploy users should immediately check for available updates.
  • Administrators should temporarily restrict access to the dashboard (e.g., via IP whitelisting) until a patch is applied.
  • Monitor logs for unusual access attempts.

Open Questions

It is still unclear which version exactly includes the patch and whether active exploits have been observed in the wild.

Sources

  1. Dokploy CVE-2026-45631 Authentication Bypass Vulnerability
  2. CVE-2026-45631 Detail - NVD
  3. SentinelOne Vulnerability Database - CVE-2026-45631
  4. Dokploy GitHub Security Advisories
  5. CVE-2026-45631 — Critical Vulnerability | VulnBase
  6. YouTube Analysis CVE-2026-45631