How is CVE-2026-45632 exploited?

Network reachability (required): The attacker must reach the Dokploy API over the network where the schedule router is exposed. Authentication (required): Any low-privilege authenticated Dokploy account is sufficient; no admin role or cross-org membership is needed. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any user in the target organization. Attack complexity (info): AC:L indicates the exploit is reliable once a valid scheduleId or serverId is known, with no race or environmental preconditions.

What is the impact of CVE-2026-45632?

Executes arbitrary scripts on the Dokploy host or any managed remote server, yielding full RCE under the Dokploy service account. Reads, modifies, or deletes schedules and any data reachable from the compromised host, including secrets, deployment configs, and tenant workloads. Disrupts or destroys scheduled jobs and the services they manage across other organizations on the same Dokploy instance. Pivots across tenant boundaries because the scope-changed vector (S:C) means impact extends beyond the vulnerable component to every org sharing the host.

Back to search

CRITICALCVE-2026-45632Published 2026-05-29Modified 2026-05-29CNA GitHub_M

CVE-2026-45632: Dokploy: Schedule Authorization Bypass Enables Host/Server Command Execution

Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.

HarborGuard Analysis

HarborGuard analysis

Synopsis

Authorization bypass in Dokploy's schedule router (versions 0.26.7 and earlier) lets any authenticated user create, update, run, or delete schedules across organization boundaries by supplying a known scheduleId or serverId. Because schedules of type server and dokploy-server write and execute scripts on the host or a remote server, exploitation yields full remote code execution on the Dokploy host or any managed server. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against Dokploy images in customer registries and pipelines, including custom-built derivatives. Coverage applies whether the image is pulled from a public registry or built internally.

Available

Triage

Triage is available with the published CVSS 3.1 score of 9.9 (critical) weighted by each customer's compliance policy, so environments with stricter posture see this surface even higher. Findings route to the inbox configured for critical-severity items inside each customer org.

Available

Patch

No fix version has been published by the Dokploy maintainers. HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment an upstream fix ships; for customers who opt into auto-remediation, that rebuild will trigger a regression run and a PR opened against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Dokploy API over the network where the schedule router is exposed.
AuthenticationRequired
Any low-privilege authenticated Dokploy account is sufficient; no admin role or cross-org membership is needed.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any user in the target organization.
Attack complexityDetail
AC:L indicates the exploit is reliable once a valid scheduleId or serverId is known, with no race or environmental preconditions.

Blast Radius

Executes arbitrary scripts on the Dokploy host or any managed remote server, yielding full RCE under the Dokploy service account.
Reads, modifies, or deletes schedules and any data reachable from the compromised host, including secrets, deployment configs, and tenant workloads.
Disrupts or destroys scheduled jobs and the services they manage across other organizations on the same Dokploy instance.
Pivots across tenant boundaries because the scope-changed vector (S:C) means impact extends beyond the vulnerable component to every org sharing the host.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Dokploy advisory with automatic re-check each ingest cycle, so a patched-image rebuild becomes available the moment upstream publishes a fix. In the meantime, compensating-control suggestions surface in the finding: restrict network exposure of the Dokploy API to trusted operators only, isolate the Dokploy host with network policy and egress filtering, audit existing user accounts and revoke any that are not strictly necessary, and review schedule activity logs for unexpected scheduleId or serverId access. For customers who opt into auto-remediation, the rebuilt image, regression run, and PR against affected workloads will trigger automatically once the upstream patch lands.

See how HarborGuard automates this

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Dokploy / dokploy
<= 0.26.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/Dokploy/dokploy/security/advisories/GHSA-7wmr-57mg-h5q6