The Dokploy PaaS application (versions 0.26.7 and earlier) contains a flaw in the schedule router where organization and role checks are omitted. This allows any authenticated user who can guess or obtain a scheduleId or serverId to create, update, execute, or delete schedules that belong to other organizations. When a schedule of type server or dokploy-server is run, the application writes a script to the host or a target server and executes it, providing an attacker with remote command execution on the Dokploy host or the remote server.

Affected by this vulnerability are installations of Dokploy, the free, self‑hostable Platform as a Service, that are running version 0.26.7 or earlier. No later releases are mentioned as fixing the issue.

The CVSS score of 9.9 classifies this as critical, and because the flaw requires only authentication, it can be exercised by any user with valid credentials. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no currently known widespread exploitation. However, given the simple authentication requirement and the potential to run arbitrary scripts on the host or any target server, the risk to confidentiality, integrity, and availability is high. Attackers can gain full control of the affected machine by following the described path of creating a malicious schedule, provided that organization and role checks are not enforced.