Description
Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts.
Published: 2026-05-29
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokploy PaaS contains an IDOR vulnerability in the protectedProcedure middleware. In versions 0.19.0 and older the middleware only verifies that a user is authenticated but does not enforce that the requested resource belongs to the user’s active organization. Each tRPC endpoint listed in the advisory, such as deployment, backup, volume‑backups, cluster, and mount, must perform their own organization validation, but they currently do not. The result is that an authenticated user can access, modify, or delete resources controlled by other organizations. The flaw directly maps to CWE‑639, Improper Authorization.

Affected Systems

The vulnerability affects the Dokploy platform as a service, specifically releases 0.19.0 and earlier. Attackers with access to any of the exposed tRPC endpoints can read or modify deployments, backups, cluster nodes, and mount points for organizations other than the one they belong to. The problem is present in the following modules: deployment, rollbacks, backup, volume‑backups, cluster, and mount.

Risk and Exploitability

The CVSS v3 base score is 5.3, indicating moderate complexity and a moderate potential damage scope. No EPSS score is provided, but the lack of a KEV listing suggests that large‑scale exploitation is not yet documented. The attack requires a valid authenticated session; an attacker who has control of a user account with permission to use any tRPC endpoint can craft requests to endpoints that only check authentication and then target resources in other organizations. Because many endpoints need to individually check organization scoping, the vulnerability can be abused by typical authenticated users or by attackers who have stolen credentials.

Generated by OpenCVE AI on May 29, 2026 at 18:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the newest Dokploy release that includes the missing activeOrganizationId check for all tRPC endpoints.
  • If an upgrade is not immediately possible, manually enforce activeOrganizationId validation in each affected endpoint – for example, by adding a middleware that compares the resource’s organization ID with the session’s active organization ID.
  • Limit user privileges so that accounts can only access one organization or restrict them from using endpoints that can modify cross‑organization resources.

Generated by OpenCVE AI on May 29, 2026 at 18:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Dokploy
Dokploy dokploy
Vendors & Products Dokploy
Dokploy dokploy

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts.
Title Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Dokploy Dokploy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:35:59.595Z

Reserved: 2026-05-04T16:11:33.086Z

Link: CVE-2026-43917

cve-icon Vulnrichment

Updated: 2026-05-29T19:35:53.290Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:09.550

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-43917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses