Description
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
Published: 2026-06-26
Score: 5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Dokku, a docker‑powered PaaS, creates a $DOKKU_ROOT/.netrc file when the git:auth command is run. Prior to version 0.38.2, the applies the system umask of 0644. This step prevents .netrc's built‑in 0600 permission setting from being applied, allowing the file to be world‑readable. The credentials stored within are git authentication tokens, so any local user who can traverse the Dokku home directory can read them, potentially compromising remote git repositories. This weakness is identified as CWE‑522, exposing sensitive personal data to unauthorized users.

Affected Systems

The affected product is Dokku, specifically versions earlier than 0.38.2. Any instance running these versions is vulnerable if the git:auth command is exercised and the Dokku home directory is not properly protected.

Risk and Exploitability

The CVSS score of 5 indicates moderate overall risk. The EPSS score is not available, so the likelihood of exploitation is uncertain but the vulnerability does not require network access and can be exploited by any local user who can access the Dokku deployment. The vulnerability is not listed in the CISA KEV catalog. Attackers would need local file system access to the Dokku root, then can read the .netrc file to obtain git credentials. The flaw is straightforward to exploit once the environment grants such access, and the consequences are credential compromise.

Generated by OpenCVE AI on June 26, 2026 at 18:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Dokku to version 0.38.2 or later to apply the fix that sets correct permissions.
  • Restrict the Dokku root directory so that only the Dokku user or privileged administrators can traverse it.
  • Scan for existing .netrc files with 0644 permissions and correct them to 0600 or delete them if not needed.

Generated by OpenCVE AI on June 26, 2026 at 18:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
Title Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch
Weaknesses CWE-522
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T18:06:03.092Z

Reserved: 2026-05-12T01:48:40.452Z

Link: CVE-2026-45407

cve-icon Vulnrichment

Updated: 2026-06-26T18:05:59.136Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T18:15:04Z

Weaknesses
  • CWE-522

    Insufficiently Protected Credentials