CVE Catalog

CVE-2026-45407

MediumCVSS 5.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.09%

1th percentile — higher than 1% of all known CVEs

Summary

In Dokku prior to version 0.38.2, the git:auth command creates the $DOKKU_ROOT/.netrc file using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory.

Risk Assessment

The risk is that unauthorized local users can read git credentials, potentially leading to unauthorized access to repositories and leakage of sensitive source code.

Recommendation

Immediately update Dokku to version 0.38.2 or later, which includes a fix for this vulnerability.

Original NVD description (English source)

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS