A hardcoded authentication secret in Dokploy enables unauthenticated attackers to bypass security controls and gain full administrative control over the host.

The application utilizes a hardcoded fallback secret ("better-auth-secret-123456789") for JWT signing. This flaw allows an unauthenticated attacker to forge email verification tokens, authenticate as an administrator, and leverage the built-in SSH terminal to execute arbitrary commands.

With a CVSS score of 10, this is a maximum-severity vulnerability. It allows any unauthenticated attacker to bypass all authentication mechanisms, leading to full unauthorized access to the PaaS environment and the underlying host server. This could result in total data loss, system destruction, or deep-seated persistence within the network.

Immediate Action: Update Dokploy to version 0.29.3 or later immediately.

Proactive Monitoring: Review all authentication logs for suspicious administrative sign-ins and investigate the creation of unauthorized SSH sessions or unexpected terminal activity.

Compensating Controls: Ensure the management interface is not exposed to the public internet and require VPN access for all administrative operations.

Public Exploit Available: None

This vulnerability is critical and represents a complete security failure. Administrators must ensure the software is updated to the patched version 0.29.3 immediately to prevent potential account takeover and remote code execution.