Compliance Impact

This vulnerability allows an attacker to write arbitrary files anywhere writable by the Dokku user, including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. Such unauthorized access and potential data manipulation could lead to breaches of confidentiality, integrity, and availability of data.

Given the critical nature of this vulnerability, it could impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and prevention of unauthorized access.

Organizations using vulnerable versions of Dokku might face increased risk of data breaches or unauthorized data access, potentially resulting in non-compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-45405 is a security vulnerability in Dokku, a docker-powered PaaS, affecting versions prior to 0.38.2. The vulnerability arises from the git:from-archive and certs:add commands, which extract user-supplied tar or zip archives into temporary directories without properly sanitizing file paths or preventing symlink traversal.

Because GNU tar follows symlinks during extraction, an attacker can craft archives that exploit this behavior to write arbitrary files anywhere writable by the Dokku user. This includes the ability to overwrite critical files such as ~/.ssh/authorized_keys, potentially granting the attacker unrestricted shell access.

The vulnerability was fixed in Dokku version 0.38.2 by hardening the archive extraction process to reject absolute paths, parent directory traversal entries, and unsafe symlinks, as well as adding additional protections like bomb limits and audit logging.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and control over the Dokku environment.

• An attacker can write arbitrary files anywhere writable by the Dokku user.
• They can overwrite the ~/.ssh/authorized_keys file, allowing them to gain unrestricted shell access.
• This leads to a critical compromise of confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves exploitation through crafted tar or zip archives that use symlink traversal to write arbitrary files during extraction by Dokku commands git:from-archive and certs:add.

To detect potential exploitation, you can audit recent usage of these Dokku commands and check for unexpected modifications to sensitive files such as ~/.ssh/authorized_keys.

While no explicit detection commands are provided, you can use the following approaches:

• Check for recent changes to ~/.ssh/authorized_keys: `stat ~/.ssh/authorized_keys` or `ls -l ~/.ssh/authorized_keys` to see modification timestamps.
• Review Dokku git command usage logs or audit logs if enabled, especially for git:from-archive and certs:add commands.
• Search for unexpected files or symlinks created in directories writable by the dokku user.
• If GNU tar logs or audit logs are available, review them for archive extraction activities involving symlinks.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Dokku to version 0.38.2 or later, where this vulnerability is fixed.

The fix hardens archive extraction by rejecting absolute paths, parent directory traversal entries, and symlinks pointing outside the extraction directory.

Additionally, the fix uses the --no-unsafe-links flag with GNU tar when supported, adds bomb protection limits, and audit logging for archive operations.

If immediate upgrade is not possible, restrict access to the git:from-archive and certs:add commands to trusted users only.

Monitor and audit any archive extraction activities and verify integrity of critical files such as ~/.ssh/authorized_keys.

Useful 0 Not Useful 0