Skip to main content

Dokku EUVDEUVD-2026-39804

| CVE-2026-45405 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-06-26 GitHub_M
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
CRITICAL
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker needs deploy/cert command access so PR:L; archive can be remotely supplied (AV:N), extraction is deterministic (AC:L), and arbitrary file write to authorized_keys yields full C/I/A.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 19:15 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 19:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 19:07 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 19:07 NVD
CRITICAL HIGH
CVSS changed
Jun 26, 2026 - 19:07 NVD
9.0 (CRITICAL) 8.8 (HIGH)
Patch available
Jun 26, 2026 - 18:02 EUVD
Source Code Evidence Fetched
Jun 26, 2026 - 17:26 vuln.today
Analysis Generated
Jun 26, 2026 - 17:26 vuln.today

DescriptionNVD

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user - including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.

AnalysisAI

Arbitrary file write in Dokku before 0.38.2 lets an attacker with deploy-level access escalate to full shell access on the host. The git:from-archive and certs:add commands extract attacker-supplied tar/zip archives without sanitizing member paths, and because GNU tar creates and then follows symlinks during extraction, a crafted archive can plant files anywhere the dokku user can write - most damagingly ~/.ssh/authorized_keys. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Dokku deploy/cert command access
Delivery
Craft tar with out-of-tree symlink + payload entry
Exploit
Submit via git:from-archive or certs:add
Execution
tar follows symlink, writes ~/.ssh/authorized_keys
Persist
SSH in as dokku user
Impact
Full shell / host compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to be able to invoke Dokku's git:from-archive or certs:add commands with an attacker-controlled tar/zip archive (PR:L - a deploy or certificate-management user, not an anonymous outsider), and the target must run a version prior to 0.38.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N, C:H/I:H/A:H, score 8.8) describes a low-privilege, low-complexity, network-reachable flaw with total impact, consistent with the SSVC 'Technical Impact: total' rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with permission to deploy apps (or to provide an archive URL to git:from-archive) crafts a tar archive whose first entry is a symlink named, say, 'link' that points to /home/dokku/.ssh, followed by an entry 'link/authorized_keys' containing the attacker's public key. When Dokku extracts the archive, GNU tar follows the symlink and writes authorized_keys outside the temp directory, granting the attacker SSH shell access as the dokku user. …
Remediation Vendor-released patch: upgrade to Dokku 0.38.2 or later, which validates archives before extraction and rejects absolute paths, parent-directory (..) traversal, and symlinks pointing outside the extraction directory, as documented in GHSA-j6qq-xg73-ghqg and PR #8591. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Dokku instances and current versions; restrict deploy-level access to essential administrators and automated systems only; review access logs for unauthorized activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-39804 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy