Executive Summary

CVE-2026-45406 is a critical security vulnerability in Dokku versions prior to 0.38.2 involving the openresty-vhosts plugin. This plugin copies files from an application's openresty/http-includes git repository directory to the host and interpolates their filenames into a shell string without proper escaping.

If a filename contains a single quote, it breaks the shell quoting and allows command substitution, enabling an attacker to execute arbitrary commands on the host as the dokku user during the application's next deployment.

This vulnerability requires the attacker to have push access to the application where OpenResty is configured as the proxy.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution on the host machine running Dokku, allowing an attacker to run arbitrary commands with the privileges of the dokku user.

The impact includes a complete compromise of confidentiality, integrity, and availability of the affected system.

• Confidentiality: An attacker could access sensitive data on the host.
• Integrity: An attacker could modify or delete files and configurations.
• Availability: An attacker could disrupt services by executing destructive commands.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unsafe filenames in the openresty/http-includes/ git repository directory of your Dokku applications. Filenames containing single quotes or other shell metacharacters can indicate potential exploitation attempts.

Since the vulnerability involves filenames that break shell quoting during deployment, you can scan the relevant directories for filenames containing characters outside the safe set (alphanumeric characters, underscores, periods, and hyphens).

• Use a command like `find /path/to/app/openresty/http-includes/ -name "*'*"` to find files with single quotes in their names.
• Alternatively, use a regex to find filenames with unsafe characters: `find /path/to/app/openresty/http-includes/ -regextype posix-extended -regex ".*[^a-zA-Z0-9_.-].*"`

Also, monitor deployment logs for failures or warnings related to unsafe filenames, as the patched version aborts deployments if unsafe filenames are detected.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Dokku to version 0.38.2 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, ensure that no untrusted users have push access to applications using OpenResty as the configured proxy, as exploitation requires push access.

Manually audit and remove or rename any files in the openresty/http-includes/ and location-includes directories that contain unsafe characters such as single quotes or other shell metacharacters.

Consider implementing additional deployment checks or scripts to validate filenames against the safe pattern ([a-zA-Z0-9_.-]) before deployment.

Monitor deployment logs for any failures related to unsafe filenames, as the patched version aborts deployments if unsafe filenames are detected.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows remote code execution with high impact on confidentiality, integrity, and availability by enabling arbitrary command execution on the host as the dokku user during app deployment.

Such a compromise could lead to unauthorized access or modification of sensitive data, which may violate compliance requirements under standards like GDPR or HIPAA that mandate protection of data confidentiality and integrity.

Therefore, if exploited, this vulnerability could negatively affect an organization's compliance posture by exposing sensitive information or disrupting system availability.

Useful 0 Not Useful 0