CVE Catalog

CVE-2026-45408

CriticalCVSS 9.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile — higher than 14% of all known CVEs

Summary

A vulnerability in Dokku before version 0.38.2 allows remote code execution by an authenticated user. The app name validation permits shell metacharacters, which are then embedded unquoted into a git hook script, enabling arbitrary command execution as the dokku user.

Risk Assessment

An attacker can take over the Dokku server by executing arbitrary commands as the dokku user, leading to full compromise of the platform and hosted applications.

Recommendation

Immediately update Dokku to version 0.38.2 or later, which includes a fix for app name validation and safe heredoc usage.

Original NVD description (English source)

Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS