Privilege escalation: members without docker access can start/stop/kill/restart containers via API

[iExad]

To Reproduce

Details intentionally omitted — reported privately to contact@dokploy.com per SECURITY.md. See PR #4332 for the fix.

Current vs. Expected behavior

A permission misconfiguration in the Docker router allows low-privileged organization members to perform container lifecycle mutations they
should not have access to. Expected behaviour is for the affected endpoints to be gated identically to their already-correctly-gated siblings in
the same router.

Full technical details and reproduction steps have been shared privately with the maintainers.

Provide environment information

• Dokploy: v0.29.5 (and canary/main HEAD as of 2026-05-25)
• OS: Ubuntu 24.04 LTS
• Docker: 27.x
• Node: 20.x (bundled)

Which area(s) are affected? (Select all that apply)

Docker, Application

Are you deploying the applications where Dokploy is installed or on a remote server?

Both

Additional context

Apologies for filing publicly before reading SECURITY.md — original PoC has been redacted. Coordinating disclosure with maintainers via email
and PR #4332.

Will you send a PR to fix it?

Yes — #4332

[iExad]

• Fix PR: fix: enforce docker:read on container start/stop/kill/restart mutations #4332