CVE-2026-45407
Received Received - Intake
Dokku Git Credential Exposure via Insecure .netrc Permissions

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-45407
EUVD
EUVD-2026-39802
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dokku dokku to 0.38.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-522 The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to unauthorized disclosure of your git credentials to any local user on the system who can traverse the Dokku home directory.

Since the .netrc file is world-readable due to improper permissions, sensitive credentials are exposed, which compromises confidentiality.

An attacker with local access and low privileges can exploit this vulnerability to read your git credentials, potentially leading to further unauthorized access.

The vulnerability has a moderate severity score of 5.0, reflecting its impact on confidentiality but limited to local access.

Mitigation Strategies

To mitigate this vulnerability immediately, you should manually set the permissions of the .netrc file to be readable and writable only by the owner.

  • Run the command: chmod 0600 /home/dokku/.netrc

Additionally, upgrading Dokku to version 0.38.2 or later will apply a fix that enforces strict permissions automatically and repairs existing installations.

Executive Summary

CVE-2026-45407 is a vulnerability in Dokku versions prior to 0.38.2 related to the creation of the .netrc file by the git:auth command.

The issue arises because the .netrc file is created using the touch command, which applies default file permissions of 0644, making the file world-readable.

This happens before the netrc binary can enforce its intended stricter permissions of 0600, which would restrict access to only the owner.

As a result, git credentials stored in the .netrc file are exposed and readable by any local user who can access the Dokku home directory.

Detection Guidance

This vulnerability can be detected by checking the permissions of the .netrc file located in the Dokku home directory. If the permissions are set to 0644 or more permissive, the file is vulnerable because it is readable by other local users.

  • Run the command: ls -l /home/dokku/.netrc
  • If the output shows permissions like -rw-r--r-- (0644), the file is vulnerable.
Compliance Impact

The vulnerability exposes git credentials stored in the .netrc file to any local user who can access the Dokku home directory due to improper file permissions (0644 instead of the intended 0600). This unauthorized exposure of sensitive credentials can lead to confidentiality breaches.

Such exposure of sensitive authentication data could potentially violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over access to sensitive information to protect confidentiality and prevent unauthorized access.

Mitigation involves updating Dokku to version 0.38.2 or later, which enforces proper file permissions (0600) on the .netrc file, thereby reducing the risk of unauthorized access and helping maintain compliance with data protection regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart