Access Control Flaw in Dokploy PaaS Affects User Organization Scoping
CVE-2026-43917

5.3MEDIUM

Key Information:

Vendor: Dokploy
Status: Dokploy
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-43917?

The vulnerability in Dokploy stems from inadequate enforcement of organization scoping within its protectedProcedure middleware. While it verifies user authentication, it fails to ensure that organizational data matches the logged-in user's active organization, leaving several endpoints exposed. This oversight affects critical operations such as managing deployments and backups, as endpoints like allByType, killProcess, and removeDeployment lack necessary restrictions based on the user’s organization. Proper validation must be integrated to prevent unauthorized access and ensure comprehensive security in the PaaS environment.

Affected Version(s)

dokploy <= 0.19.0

References

https://github.com/Dokploy/dokploy/security/advisories/GH...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-43917 Data

JSON