CVE-2026-45408 - Vulnerability Details

- Dokku: OS Command Injection via App Name in Git Pre-Receive Hook

Description

Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.

Published: 2026-06-26

Score: 9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Dokku is a Docker‑based Platform as a Service that deploys applications via git pushes. A flaw in the application name validation regex allows shell metacharacters to enter the name unquoted. On a push, Dokku writes the app name into a bash pre‑receive hook using a non‑quoted heredoc. Bash then interprets shell metacharacters such as a semicolon as command separators, enabling an attacker who can push to the repository to execute arbitrary commands as the dokku user. This is an operating‑system command injection (CWE‑78) that can compromise the confidentiality, integrity, and availability of the entire Dokku host.

Affected Systems

Versions of Dokku older than 0.38.2 are affected. The issue resides in the dokku:dokku product and touches any instance that uses the default git pre‑receive hook. Any deployment that has not yet applied the 0.38.2 update remains vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 9, classifying it as critical. Although no EPSS score is available and it is not listed in CISA KEV, the exploitation probability is uncertain; however the lack of a KEV listing does not preclude real-world attacks. The attack vector requires authenticated git push access, so it is limited to users who are allowed to deploy. The exploit path is straightforward: push a repository with an app name containing a shell metacharacter; the pre‑receive hook runs the embedded command, granting the attacker execution as dokku.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dokku

affected

Version	Status	Constraints
`< 0.38.2`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Dokku installation to version 0.38.2 or later, which replaces the vulnerable regex and quotes the app name when inserting it into the hook script.
If an upgrade cannot be performed immediately, restrict git push permissions to trusted users only or remove push access for users that do not need deployment rights.
Audit existing application names for characters that could be interpreted as shell metacharacters and rename any that violate the accepted pattern before applying any temporary measures.

Generated by OpenCVE AI on June 26, 2026 at 17:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00234.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/dokku/dokku/pull/8590
https://github.com/dokku/dokku/security/advisories/GHSA-9x85-7gxq-fcr3

History

Fri, 26 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.
Title		Dokku: OS Command Injection via App Name in Git Pre-Receive Hook
Weaknesses		CWE-78
References		https://github.com/dokku/dokku/pull/8590 https://github.com/dokku/dokku/security/advisories/GHSA-9x85-7gxq-fcr3
Metrics		cvssV3_1 `{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T16:19:56.118Z

Updated: 2026-06-26T18:41:32.788Z

Reserved: 2026-05-12T01:48:40.452Z

Link: CVE-2026-45408

Vulnrichment

Updated: 2026-06-26T18:14:29.711Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-26T17:30:05Z

Weaknesses

CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object