CVE-2026-54636 | Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron pl… | CVSS 9.0 CRITICAL

Description

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7.

Metadata

CVE ID: CVE-2026-54636
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-15 20:07 UTC
Published: 2026-06-26 16:23 UTC
Last updated: 2026-06-26 16:23 UTC
Primary CWE: CWE-78
CWE-78: Improper Neutralization of Special Elements used in …
Vendor / Product: dokku / dokku
Sources: cve.org · NVD

Severity & Metrics

9.0 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
dokku	dokku	—	< 0.38.7

Weakness (CWE)

CWE	Source	Description
CWE-78	cna	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.0	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

References (2)

https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w
https://github.com/dokku/dokku/pull/8672 https://github.com/dokku/dokku/pull/8672