Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-45631: Dokploy PaaS: Hardcoded Secret Exposes Admin Access
CVE-2026-45631
Summary
Dokploy's self-hosted Platform as a Service is affected. An attacker without a login could gain full access to the system, including executing commands and signing in as an admin. Update to the latest version, 0.29.3, to fix this issue.
Original title
Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacke...
Original description
Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.
nvd CVSS3.1
10.0
Vulnerability type
CWE-798
Use of Hard-coded Credentials
Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026