CVE-2026-45408
Received Received - Intake
Command Injection in Dokku via Git App Name

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: GitHub, Inc.

Description
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-26
AI Q&A
2026-06-26
EPSS Evaluated
N/A
NVD
CVE-2026-45408
EUVD
EUVD-2026-39801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dokku dokku to 0.38.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-45408 is a critical OS command injection vulnerability that allows an authenticated user to execute arbitrary commands as the Dokku user, potentially compromising confidentiality, integrity, and availability of the system.

Such a vulnerability could lead to unauthorized access or modification of sensitive data, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of personal and health information.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Executive Summary

CVE-2026-45408 is a critical OS command injection vulnerability in Dokku versions prior to 0.38.2. It occurs because the app name validation regex allows shell metacharacters such as semicolons, dollar signs, backticks, and pipes. When an authenticated user pushes to a git remote with a specially crafted app name containing these metacharacters, the name is embedded unquoted into a bash pre-receive hook script. This unquoted embedding allows bash to interpret the metacharacters as command separators, enabling the execution of arbitrary commands as the Dokku user.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user with push access to execute arbitrary commands on the server as the Dokku user. The CVSS score is 9.0 (Critical), indicating high severity. The attack can be performed remotely over the network with low complexity and requires only low privileges and user interaction. Successful exploitation can compromise confidentiality, integrity, and availability of the affected system.

Detection Guidance

Detection of this vulnerability involves identifying if your Dokku installation is running a version prior to 0.38.2 and if there are git push attempts with app names containing shell metacharacters.

You can check the Dokku version installed by running the command:

  • dokku --version

To detect potentially malicious git push attempts, you can monitor git pre-receive hook logs or audit git push commands for app names containing characters like ;, $, `, |, &.

For example, you can search your git logs or server logs for suspicious app names using commands like:

  • grep -E '[;$`|&]' /var/lib/dokku/data/git-hooks/pre-receive.log
  • journalctl -u dokku | grep -E '[;$`|&]'

Additionally, inspecting the git remote URLs or push commands for app names with shell metacharacters can help identify exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Dokku to version 0.38.2 or later, where the vulnerability has been fixed.

This update restricts app names to lowercase alphanumerics, dots, and hyphens, and quotes the app variable in the git pre-receive hook script to prevent command injection.

Until you can upgrade, consider restricting git push access to trusted users only and monitor git push activity for suspicious app names containing shell metacharacters.

If possible, apply temporary access controls or network restrictions to limit exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart