CVE-2026-45407
Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch
CVSS Score
5.0
EPSS Score
0.0%
EPSS Percentile
0th
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
| CWE | CWE-522 |
| Vendor | dokku |
| Product | dokku |
| Published | Jun 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for dokku dokku
Be the first to know when new medium vulnerabilities affecting dokku dokku are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
dokku / dokku
< 0.38.2