Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.9
CVE-2026-45632: Dokploy PaaS allows unauthorized schedule creation
CVE-2026-45632
Summary
In Dokploy 0.26.7 and earlier, any authenticated user can create, update, or delete schedules belonging to other organizations. This could allow attackers to run malicious scripts on the Dokploy host or a target server, potentially leading to remote code execution. Update to the latest version of Dokploy to fix this issue.
Original title
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, ...
Original description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId. Schedule types server and dokploy-server write and execute scripts on the host or remote servers, enabling RCE on the Dokploy host or a target server.
nvd CVSS3.1
9.9
Vulnerability type
CWE-78
OS Command Injection
CWE-269
Improper Privilege Management
CWE-862
Missing Authorization
Published: 29 May 2026 · Updated: 31 May 2026 · First seen: 29 May 2026