CVE-2026-45406 | Dokku is a docker-powered PaaS. Prior to 0.38.2, the openres… | CVSS 9.0 CRITICAL

Description

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.

Metadata

CVE ID: CVE-2026-45406
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-12 01:48 UTC
Published: 2026-06-26 16:22 UTC
Last updated: 2026-06-26 18:30 UTC
Primary CWE: CWE-95
CWE-95: Improper Neutralization of Directives in Dynamically…
Vendor / Product: dokku / dokku
Sources: cve.org · NVD

Severity & Metrics

9.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
dokku	dokku	—	< 0.38.2

Weakness (CWE)

CWE	Source	Description
CWE-95	cna	CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (2)

https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9 https://github.com/dokku/dokku/security/advisories/GHSA-ggqh-98fj-8mg9
https://github.com/dokku/dokku/pull/8588 https://github.com/dokku/dokku/pull/8588