📄 Description (English)
Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue.
🤖 AI Executive Summary
Dokploy versions prior to 0.26.6 contain hardcoded database credentials in the installation script, allowing attackers to access database containers across nearly all affected deployments. This critical vulnerability (CWE-798) affects self-hosted PaaS instances widely used in Saudi Arabia for application deployment and data management. Immediate patching to version 0.26.6 or credential rotation is essential to prevent unauthorized database access and potential data breaches.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 18:21
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Dokploy for application deployment and hosting—particularly in fintech, government digital transformation initiatives, healthcare platforms, and e-commerce sectors—face critical risk. Financial institutions and SAMA-regulated entities using Dokploy for internal PaaS infrastructure could experience unauthorized database access. Government agencies (NCA, CITC oversight) and healthcare providers (MOH systems) are at elevated risk. Telecommunications and energy sector digital platforms leveraging Dokploy deployments could be compromised. The widespread use of identical credentials across installations amplifies the attack surface significantly.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Healthcare and Medical Services
Energy and Utilities
Telecommunications
E-commerce and Retail
Education and Research
Technology and Software Development
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts (use of hardcoded credentials)
T1110 - Brute Force (credential guessing with known defaults)
T1021 - Remote Services (database access)
T1040 - Traffic Capture or Replay (database credential interception)
T1555 - Credentials from Password Stores (hardcoded in scripts)
T1589 - Gather Victim Identity Information (credential harvesting)
T1213 - Data from Information Repositories (database exfiltration)
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Dokploy installations in your environment and verify versions prior to 0.26.6
2. Assume database credentials are compromised; immediately rotate all database passwords
3. Review database access logs for unauthorized connections since deployment
4. Isolate affected Dokploy instances from production networks if not yet patched
PATCHING GUIDANCE:
1. Upgrade all Dokploy instances to version 0.26.6 or later immediately
2. After upgrade, regenerate database credentials with strong, unique passwords
3. Update all application connection strings to use new credentials
4. Restart all dependent services after credential rotation
COMPENSATING CONTROLS (if immediate patching not possible):
1. Implement network segmentation: restrict database container access to authorized hosts only
2. Enable database-level authentication logging and monitoring
3. Deploy WAF/IDS rules to detect suspicious database connection patterns
4. Implement database activity monitoring (DAM) solutions
5. Restrict outbound connections from database containers
DETECTION RULES:
1. Monitor for database connection attempts using default credentials (dokploy/dokploy or similar)
2. Alert on unexpected database access from non-application sources
3. Track failed authentication attempts to database containers
4. Monitor for data exfiltration patterns from affected databases
5. Log all administrative access to Dokploy control plane
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع تثبيتات Dokploy في بيئتك والتحقق من الإصدارات السابقة للإصدار 0.26.6
2. افترض أن بيانات اعتماد قاعدة البيانات مخترقة؛ قم بتدوير جميع كلمات مرور قاعدة البيانات فوراً
3. راجع سجلات الوصول إلى قاعدة البيانات للاتصالات غير المصرح بها منذ النشر
4. عزل مثيلات Dokploy المتأثرة عن شبكات الإنتاج إذا لم يتم تصحيحها بعد
إرشادات التصحيح:
1. قم بترقية جميع مثيلات Dokploy إلى الإصدار 0.26.6 أو أحدث فوراً
2. بعد الترقية، أعد إنشاء بيانات اعتماد قاعدة البيانات بكلمات مرور قوية وفريدة
3. حدّث جميع سلاسل اتصال التطبيق لاستخدام بيانات اعتماد جديدة
4. أعد تشغيل جميع الخدمات المعتمدة بعد تدوير بيانات الاعتماد
الضوابط البديلة:
1. تنفيذ تقسيم الشبكة: تقييد الوصول إلى حاوية قاعدة البيانات للمضيفين المصرح بهم فقط
2. تفعيل تسجيل المصادقة على مستوى قاعدة البيانات والمراقبة
3. نشر قواعد WAF/IDS للكشف عن أنماط الاتصال المريبة
4. تنفيذ حلول مراقبة نشاط قاعدة البيانات
5. تقييد الاتصالات الصادرة من حاويات قاعدة البيانات
قواعد الكشف:
1. مراقبة محاولات الاتصال بقاعدة البيانات باستخدام بيانات اعتماد افتراضية
2. تنبيهات الوصول غير المتوقع إلى قاعدة البيانات من مصادر غير التطبيق
3. تتبع محاولات المصادقة الفاشلة لحاويات قاعدة البيانات
4. مراقبة أنماط تسرب البيانات من قواعد البيانات المتأثرة
5. تسجيل جميع الوصول الإداري إلى لوحة تحكم Dokploy
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authentication controls
ECC 2024 A.9.4.3 - Password management and credential security
ECC 2024 A.12.2.1 - Change management procedures
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.AC-6 - Access control for data and systems
SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - Privileged access rights
ISO 27001:2022 A.8.3 - Information access restriction
ISO 27001:2022 A.14.2 - System development and change management
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Change default passwords
PCI DSS 2.2.4 - Configure system security parameters
PCI DSS 6.2 - Ensure security patches are installed
PCI DSS 8.2.1 - Use strong authentication methods
📦 Affected Products / CPE 1 entries
dokploy:dokploy