While reproducing the Dokploy/dokploy ↗ vulnerability (CVE-2026-24841), I realized that the installation script for v0.26.5 in the documentation is incorrect..
Documentation Installation Script#
Logs#
✅ Critical initialization complete
Default middlewares already exists
Network is already initilized
Migration failed Error [PostgresError]: password authentication failed for user "dokploy"
at ignore-listed frames {
severity_local: 'FATAL',
severity: 'FATAL',
code: '28P01',
file: 'auth.c',
line: '331',
routine: 'auth_failed'
}Root cause#
The code of the Docker service on installation script:
docker service create \
--name dokploy \
--replicas 1 \
--network dokploy-network \
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--mount type=bind,source=/etc/dokploy,target=/etc/dokploy \
--mount type=volume,source=dokploy,target=/root/.docker \
--secret source=dokploy_postgres_password,target=/run/secrets/postgres_password \
--publish published=3000,target=3000,mode=host \
--update-parallelism 1 \
--update-order stop-first \
--constraint 'node.role == manager' \
-e ADVERTISE_ADDR=$advertise_addr \
-e POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \
dokploy/dokploy:latestThe code of the Dokploy v0.26.5:
// packages/server/src/db/index.ts
declare global {
var db: PostgresJsDatabase<typeof schema> | undefined;
}
export let db: PostgresJsDatabase<typeof schema>;
if (process.env.NODE_ENV === "production") {
db = drizzle(postgres(process.env.DATABASE_URL!), {
schema,
});
} else {
if (!global.db)
global.db = drizzle(postgres(process.env.DATABASE_URL!), {
schema,
});
db = global.db;
}The code of the Dokploy v0.26.6:
// packages/server/src/db/constants.ts
export const {
DATABASE_URL,
POSTGRES_PASSWORD_FILE,
POSTGRES_USER = "dokploy",
POSTGRES_DB = "dokploy",
POSTGRES_HOST = "dokploy-postgres",
POSTGRES_PORT = "5432",
} = process.env;
function readSecret(path: string): string {
try {
return fs.readFileSync(path, "utf8").trim();
} catch {
throw new Error(`Cannot read secret at ${path}`);
}
}
export let dbUrl: string;
if (DATABASE_URL) {
// Compatibilidad legacy / overrides
dbUrl = DATABASE_URL;
} else if (POSTGRES_PASSWORD_FILE) {
const password = readSecret(POSTGRES_PASSWORD_FILE);
dbUrl = `postgres://${POSTGRES_USER}:${encodeURIComponent(
password,
)}@${POSTGRES_HOST}:${POSTGRES_PORT}/${POSTGRES_DB}`;
} else {
console.warn(`
⚠️ [DEPRECATED DATABASE CONFIG]
You are using the legacy hardcoded database credentials.
This mode WILL BE REMOVED in a future release.
Please migrate to Docker Secrets using POSTGRES_PASSWORD_FILE.
Please execute this command in your server: curl -sSL https://dokploy.com/security/0.26.6.sh | bash
`);
dbUrl =
"postgres://dokploy:amukds4wi9001583845717ad2@dokploy-postgres:5432/dokploy";
}Solution#
Installation script of v0.26.5:
#!/bin/bash
# Function to detect if running in Proxmox LXC container
is_proxmox_lxc() {
# Check for LXC in environment
if [ -n "$container" ] && [ "$container" = "lxc" ]; then
return 0 # LXC container
fi
# Check for LXC in /proc/1/environ
if grep -q "container=lxc" /proc/1/environ 2>/dev/null; then
return 0 # LXC container
fi
return 1 # Not LXC
}
install_dokploy() {
# Detect version tag
VERSION_TAG="v0.26.5"
DOCKER_IMAGE="dokploy/dokploy:${VERSION_TAG}"
echo "Installing Dokploy version: ${VERSION_TAG}"
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" >&2
exit 1
fi
# check if is Mac OS
if [ "$(uname)" = "Darwin" ]; then
echo "This script must be run on Linux" >&2
exit 1
fi
# check if is running inside a container
if [ -f /.dockerenv ]; then
echo "This script must be run on Linux" >&2
exit 1
fi
# check if something is running on port 80
if ss -tulnp | grep ':80 ' >/dev/null; then
echo "Error: something is already running on port 80" >&2
exit 1
fi
# check if something is running on port 443
if ss -tulnp | grep ':443 ' >/dev/null; then
echo "Error: something is already running on port 443" >&2
exit 1
fi
# check if something is running on port 3000
if ss -tulnp | grep ':3000 ' >/dev/null; then
echo "Error: something is already running on port 3000" >&2
echo "Dokploy requires port 3000 to be available. Please stop any service using this port." >&2
exit 1
fi
command_exists() {
command -v "$@" > /dev/null 2>&1
}
if command_exists docker; then
echo "Docker already installed"
else
curl -sSL https://get.docker.com | sh -s -- --version 28.5.0
fi
# Check if running in Proxmox LXC container and set endpoint mode
endpoint_mode=""
if is_proxmox_lxc; then
echo "⚠️ WARNING: Detected Proxmox LXC container environment!"
echo "Adding --endpoint-mode dnsrr to Docker services for LXC compatibility."
echo "This may affect service discovery but is required for LXC containers."
echo ""
endpoint_mode="--endpoint-mode dnsrr"
echo "Waiting for 5 seconds before continuing..."
sleep 5
fi
docker swarm leave --force 2>/dev/null
get_ip() {
local ip=""
# Try IPv4 first
# First attempt: ifconfig.io
ip=$(curl -4s --connect-timeout 5 https://ifconfig.io 2>/dev/null)
# Second attempt: icanhazip.com
if [ -z "$ip" ]; then
ip=$(curl -4s --connect-timeout 5 https://icanhazip.com 2>/dev/null)
fi
# Third attempt: ipecho.net
if [ -z "$ip" ]; then
ip=$(curl -4s --connect-timeout 5 https://ipecho.net/plain 2>/dev/null)
fi
# If no IPv4, try IPv6
if [ -z "$ip" ]; then
# Try IPv6 with ifconfig.io
ip=$(curl -6s --connect-timeout 5 https://ifconfig.io 2>/dev/null)
# Try IPv6 with icanhazip.com
if [ -z "$ip" ]; then
ip=$(curl -6s --connect-timeout 5 https://icanhazip.com 2>/dev/null)
fi
# Try IPv6 with ipecho.net
if [ -z "$ip" ]; then
ip=$(curl -6s --connect-timeout 5 https://ipecho.net/plain 2>/dev/null)
fi
fi
if [ -z "$ip" ]; then
echo "Error: Could not determine server IP address automatically (neither IPv4 nor IPv6)." >&2
echo "Please set the ADVERTISE_ADDR environment variable manually." >&2
echo "Example: export ADVERTISE_ADDR=<your-server-ip>" >&2
exit 1
fi
echo "$ip"
}
get_private_ip() {
ip addr show | grep -E "inet (192\.168\.|10\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.)" | head -n1 | awk '{print $2}' | cut -d/ -f1
}
advertise_addr="${ADVERTISE_ADDR:-$(get_private_ip)}"
if [ -z "$advertise_addr" ]; then
echo "ERROR: We couldn't find a private IP address."
echo "Please set the ADVERTISE_ADDR environment variable manually."
echo "Example: export ADVERTISE_ADDR=192.168.1.100"
exit 1
fi
echo "Using advertise address: $advertise_addr"
# Allow custom Docker Swarm init arguments via DOCKER_SWARM_INIT_ARGS environment variable
# Example: export DOCKER_SWARM_INIT_ARGS="--default-addr-pool 172.20.0.0/16 --default-addr-pool-mask-length 24"
# This is useful to avoid CIDR overlapping with cloud provider VPCs (e.g., AWS)
swarm_init_args="${DOCKER_SWARM_INIT_ARGS:-}"
if [ -n "$swarm_init_args" ]; then
echo "Using custom swarm init arguments: $swarm_init_args"
docker swarm init --advertise-addr $advertise_addr $swarm_init_args
else
docker swarm init --advertise-addr $advertise_addr
fi
if [ $? -ne 0 ]; then
echo "Error: Failed to initialize Docker Swarm" >&2
exit 1
fi
echo "Swarm initialized"
docker network rm -f dokploy-network 2>/dev/null
docker network create --driver overlay --attachable dokploy-network
echo "Network created"
mkdir -p /etc/dokploy
chmod 777 /etc/dokploy
# Generate Password for Postgres
POSTGRES_PASSWORD="123456"
# Store password as Docker Secret (encrypted and secure)
echo "$POSTGRES_PASSWORD" | docker secret create dokploy_postgres_password - 2>/dev/null || true
echo "Generated secure database credentials (stored in Docker Secrets)"
docker service create \
--name dokploy-postgres \
--constraint 'node.role==manager' \
--network dokploy-network \
--env POSTGRES_USER=dokploy \
--env POSTGRES_DB=dokploy \
--secret source=dokploy_postgres_password,target=/run/secrets/postgres_password \
--env POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password \
--mount type=volume,source=dokploy-postgres,target=/var/lib/postgresql/data \
$endpoint_mode \
postgres:16
docker service create \
--name dokploy-redis \
--constraint 'node.role==manager' \
--network dokploy-network \
--mount type=volume,source=dokploy-redis,target=/data \
$endpoint_mode \
redis:7
# Installation
# Set RELEASE_TAG environment variable for canary/feature versions
release_tag_env=""
if [ "$VERSION_TAG" != "latest" ]; then
release_tag_env="-e RELEASE_TAG=$VERSION_TAG"
fi
docker service create \
--name dokploy \
--replicas 1 \
--network dokploy-network \
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--mount type=bind,source=/etc/dokploy,target=/etc/dokploy \
--mount type=volume,source=dokploy,target=/root/.docker \
--publish published=3000,target=3000,mode=host \
--update-parallelism 1 \
--update-order stop-first \
--constraint 'node.role == manager' \
$endpoint_mode \
$release_tag_env \
-e ADVERTISE_ADDR=$advertise_addr \
-e DATABASE_URL=postgres://dokploy:123456@dokploy-postgres:5432/dokploy \
$DOCKER_IMAGE
sleep 4
docker run -d \
--name dokploy-traefik \
--restart always \
-v /etc/dokploy/traefik/traefik.yml:/etc/traefik/traefik.yml \
-v /etc/dokploy/traefik/dynamic:/etc/dokploy/traefik/dynamic \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
-p 80:80/tcp \
-p 443:443/tcp \
-p 443:443/udp \
traefik:v3.6.7
docker network connect dokploy-network dokploy-traefik
# Optional: Use docker service create instead of docker run
# docker service create \
# --name dokploy-traefik \
# --constraint 'node.role==manager' \
# --network dokploy-network \
# --mount type=bind,source=/etc/dokploy/traefik/traefik.yml,target=/etc/traefik/traefik.yml \
# --mount type=bind,source=/etc/dokploy/traefik/dynamic,target=/etc/dokploy/traefik/dynamic \
# --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
# --publish mode=host,published=443,target=443 \
# --publish mode=host,published=80,target=80 \
# --publish mode=host,published=443,target=443,protocol=udp \
# traefik:v3.6.7
GREEN="\033[0;32m"
YELLOW="\033[1;33m"
BLUE="\033[0;34m"
NC="\033[0m" # No Color
format_ip_for_url() {
local ip="$1"
if echo "$ip" | grep -q ':'; then
# IPv6
echo "[${ip}]"
else
# IPv4
echo "${ip}"
fi
}
public_ip="${ADVERTISE_ADDR:-$(get_ip)}"
formatted_addr=$(format_ip_for_url "$public_ip")
echo ""
printf "${GREEN}Congratulations, Dokploy is installed!${NC}\n"
printf "${BLUE}Wait 15 seconds for the server to start${NC}\n"
printf "${YELLOW}Please go to http://${formatted_addr}:3000${NC}\n\n"
}
update_dokploy() {
# Detect version tag
VERSION_TAG=$(detect_version)
DOCKER_IMAGE="dokploy/dokploy:${VERSION_TAG}"
echo "Updating Dokploy to version: ${VERSION_TAG}"
# Pull the image
docker pull $DOCKER_IMAGE
# Update the service
docker service update --image $DOCKER_IMAGE dokploy
echo "Dokploy has been updated to version: ${VERSION_TAG}"
}
# Main script execution
if [ "$1" = "update" ]; then
update_dokploy
else
install_dokploy
fi