Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45631 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-45631 | CVSS 10.0 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45631 is a hardcoded credential vulnerability in Dokploy, a self-hostable open-source Platform as a Service application, affecting versions 0.27.0 through 0.29.2, where a static fallback secret enables unauthenticated authentication bypass.

Technical Detail

The flaw stems from a hardcoded fallback value ("better-auth-secret-123456789") for the BETTER_AUTH_SECRET environment variable used in Dokploy's authentication subsystem. An unauthenticated attacker who knows this static secret can forge valid session tokens or authentication material, effectively bypassing access controls without any credentials. Successful exploitation grants unauthorized access to the Dokploy management plane, which controls containerized application deployments, environment variables, and infrastructure configuration, making the practical impact equivalent to full administrative compromise of the hosted platform.

Exploitation Status

No known exploit code has been publicly observed as of June 05, 2026, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog. However, the trivial nature of the vulnerability, a publicly documented static string requiring no reverse engineering, means the barrier to exploitation is extremely low. Any attacker aware of the affected version range can attempt exploitation without specialized tooling.

Who Is Targeting This

No confirmed, ATTAX-verified threat actor attribution exists for this vulnerability at this time. Reported (research-inferred) associations include REDCURL, SCATTEREDSPIDER, MUDDYWATER, MAGICHOUND, and LEAFMINER, all at medium confidence with unknown motivation. These associations are research-inferred and have not been independently verified through observed exploitation activity. Attribution should be treated as preliminary and not used as a basis for threat modeling without additional corroboration.

What To Do

Upgrade Dokploy to version 0.29.3 or later immediately, as this release removes the hardcoded fallback and requires an explicitly configured BETTER_AUTH_SECRET value. Administrators running versions 0.27.0 through 0.29.2 should treat any instance exposed to untrusted networks as potentially compromised and audit session logs for anomalous authentication activity. As an interim workaround prior to patching, ensure the BETTER_AUTH_SECRET environment variable is explicitly set to a strong, randomly generated value in the deployment configuration, which will override the insecure fallback. Network-level controls restricting access to the Dokploy management interface to trusted IP ranges should be applied as a defense-in-depth measure regardless of patch status.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →