Dokploy Hardcoded Credential Vulnerability in Database Configuration

A vulnerability exists in Dokploy versions prior to 0.26.6, where the installation script contains hardcoded database credentials. This flaw allows nearly all Dokploy installations to use the same database login information, potentially leading to unauthorized access. The vulnerability arises from the installation script's use of a fixed password when creating the database container, which can be exploited if an attacker gains access to the internal Dokploy network via code execution or server-side request forgery on the web application.

Impact

Exploitation of this vulnerability allows access to the database using the hardcoded credentials, enabling manipulation of database information. According to the GitHub advisory, this vulnerability could be exploited to access sensitive information from the database.

Reproduction

To reproduce this vulnerability, install Dokploy using the official installation script. Once Dokploy is installed, an attacker can access the database using the hardcoded credentials embedded in the script, which are the same for every installation. This access can be achieved if the attacker has executed code on the Dokploy web application or a vulnerable application with a domain connected to the Dokploy network.

Remediation

Users are advised to update to Dokploy version 0.26.6 or later, where this vulnerability has been patched. For those using versions prior to 0.26.6, it is recommended to migrate to Docker Secrets by using the POSTGRES_PASSWORD_FILE environment variable, as detailed in the Dokploy security migration guide.