Summary

An unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk.

Details

• Anyone can fork a public repository using Dokploy, open a pull request with malicious code (e.g., code that leaks environment variables), and Dokploy will deploy it automatically.
• The deployment will have access to the repository’s preview environment variables, which may include sensitive API keys or secrets.
• The public deployment link is posted on the pull request, making it trivial for an attacker to access the output.

PoC

• Create a public GitHub repository and connect it to Dokploy with preview deployments enabled.
• Add environment variables (e.g., fake API keys) to the preview deployment configuration.
• Fork the repository from another GitHub account.
• Open a pull request with code that exposes environment variables, such as a Next.js API route that returns process.env.
• Wait for Dokploy to deploy the pull request automatically and comment a public link.
• Visit the deployment link to view the exposed environment variables.

Impact

All users of Dokploy preview deployments on public repositories (GitHub, possibly other git providers)