HarborGuard / CVE
Back to search
CRITICALCVE-2026-45631Published Modified CNA GitHub_M

CVE-2026-45631: Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Dokploy ships with a hardcoded fallback value for its BETTER_AUTH_SECRET, which lets an unauthenticated network attacker forge email-verification JWTs against vulnerable self-hosted instances. The forged token triggers an auto-sign-in as admin, after which the attacker can run arbitrary commands on the underlying host through the built-in SSH terminal, leading to full host compromise. A patched-image rebuild at 0.29.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the Dokploy advisory is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that bundle or extend Dokploy between 0.27.0 and 0.29.3.

Available
Triage

Triage is available with the published CVSS 3.1 score of 10.0 (critical), reweighted against each customer's compliance policy so internet-exposed PaaS hosts escalate ahead of isolated ones, and routed to the right inbox inside each customer org.

Available
Patch

A patched-image rebuild at Dokploy 0.29.3 becomes available on HarborGuard for affected environments. Customers with auto-remediation enabled get the rebuilt image, a regression-test run, and a PR opened against workloads pinned to an affected version.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Dokploy web interface over the network (AV:N).

  • AuthenticationNot required

    No credentials are needed; the forged JWT is accepted pre-auth (PR:N).

  • Victim interactionNot required

    No admin or user action is required to trigger the auto-sign-in (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free since the fallback secret is a known constant (AC:L).

Blast Radius

  • Forges a valid admin session against the Dokploy instance without any prior account.
  • Executes arbitrary shell commands on the host via the built-in SSH terminal, yielding full host takeover.
  • Reads, modifies, and deletes any application, deployment config, and secret managed by the PaaS.
  • Disrupts or destroys hosted services and pivots from the compromised host into adjacent infrastructure.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at Dokploy 0.29.3 is published for affected environments, and for customers who opt into auto-remediation the platform rebuilds the image, runs regression tests, and opens a PR against workloads pinned to 0.27.0 through 0.29.2. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy blocks automatic upgrades, HarborGuard surfaces compensating controls such as restricting network exposure of the Dokploy UI, enforcing a non-default BETTER_AUTH_SECRET via environment configuration, and disabling the SSH terminal feature until the upgrade lands.

See how HarborGuard automates this

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Dokploy / dokploy
    >= 0.27.0, < 0.29.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References