{"id":"CVE-2026-43917","summary":"Dokploy: Cross-Organization IDOR - Multiple tRPC endpoints missing activeOrganizationId validation","details":"Dokploy is a free, self-hostable Platform as a Service (PaaS). In 0.19.0 and earlier, the protectedProcedure middleware only verifies the user is authenticated - it does NOT enforce organization scoping. Each endpoint must individually verify the resource's org matches the session's activeOrganizationId. This affects the following endpoints: allByType, killProcess, and removeDeployment in deployment.ts; delete in rollbacks.ts; create, one, update, remove, manualBackupPostgres, MySql, Mariadb, Mongo, Compose, WebServer, and listBackupFiles in backup.ts; list, one, delete, update, runManually, and restoreVolumeBackupWithLogs in volume-backups.ts; getNodes, removeWorker, addWorker, and addManager in cluster.ts; and create in mount.ts.","aliases":["GHSA-f8wj-5c4w-frhg"],"modified":"2026-07-08T08:13:30.267556748Z","published":"2026-05-29T16:40:05.824Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43917.json","cwe_ids":["CWE-639"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/43xxx/CVE-2026-43917.json"},{"type":"ADVISORY","url":"https://github.com/Dokploy/dokploy/security/advisories/GHSA-f8wj-5c4w-frhg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-43917"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dokploy/dokploy","events":[{"introduced":"0"},{"last_affected":"5db7508530f812e7e8f565d55bdca7b94b094253"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"0.19.0"}]}}],"versions":["v0.18.4","v0.19.0","v0.18.3","v0.18.2","v0.18.1","v0.18.0","v0.17.9","v0.17.8","v0.17.7","v0.17.6","v0.17.5","v0.17.4","v0.17.2","v0.17.1","v0.17.0","v0.16.1","v0.16.0","v0.15.1","v0.15.0","v0.14.1","v0.14.0","v0.13.1","v0.13.0","v0.12.0","v0.11.2","v0.11.1","v0.11.0","v0.10.10","v0.10.9","v0.10.7","v0.10.6","v0.10.5","v0.10.4","v0.10.3","v0.10.2","v0.10.1","v0.10.0","v0.9.4","v0.9.3","v0.9.2","v0.9.1","v0.9.0","v0.8.3","v0.8.2","v0.8.1","v0.8.0","v0.7.3","v0.7.2","v0.7.1","v0.7.0","v0.6.3","v0.6.2","v0.6.1","v0.6.0","v0.5.1","v0.5.0","v0.4.0","v0.3.3","v0.3.2","v0.3.1","v0.3.0","v0.2.5","v0.2.4","v0.2.3","v0.2.2","v0.2.1","v0.1.0","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-43917.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"}]}