Dokploy Schedule Authorization Bypass Vulnerability Allowing Remote Code Execution

A vulnerability in Dokploy versions through 0.26.7 allows any authenticated user to bypass organization and role checks in the schedule router. This oversight enables users to create, update, run, or delete schedules for other organizations, provided they know the scheduleId or serverId. The 'server' and 'dokploy-server' schedule types can execute scripts on the host or remote servers, leading to remote code execution on either the Dokploy host or a target server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the Dokploy host or on registered remote servers, depending on the schedule type used. Additionally, it enables unauthorized deletion or manipulation of schedules.

Reproduction

To reproduce this vulnerability, first create a member user with API access. Then, use the 'schedule.create' API endpoint to create a schedule with the 'dokploy-server' type, including a script payload. After the schedule is created, immediately execute it using the 'schedule.runManually' endpoint. Verification of the executed command can be done by checking the '/tmp/dokploy-pwn' file on the Dokploy host.

Remediation

It is recommended to enforce organization and role checks on all schedule-related procedures, restrict 'server' and 'dokploy-server' schedule types to owner or admin roles, and validate that the provided scheduleId and serverId belong to the active organization.