CVE-2026-45631

EPSS 0.35%
Veröffentlicht 29.05.2026 16:13:59
Zuletzt bearbeitet 01.06.2026 17:17:10
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Dokploy: Pre-Auth Admin Takeover via Hardcoded Authentication Secret

Dokploy is a free, self-hostable Platform as a Service (PaaS). From 0.27.0 to before 0.29.3, a hardcoded BETTER_AUTH_SECRET fallback ("better-auth-secret-123456789") lets an unauthenticated attacker forge email verification JWTs, trigger auto-sign-in as admin, and execute commands on the host via the built-in SSH terminal. This vulnerability is fixed in 0.29.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerDokploy

≫

Produkt dokploy

Version >= 0.27.0, < 0.29.3

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.35%	0.269

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	10	3.9	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/Dokploy/dokploy/security/advisories/GHSA-w3gm-rc4p-9rhj

https://github.com/Dokploy/dokploy/pull/4374

https://nvd.nist.gov/vuln/detail/CVE-2026-45631

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-45631

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-45631

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-45631