CVE-2026-45408
Dokku: OS Command Injection via App Name in Git Pre-Receive Hook
CVSS Score
9.0
EPSS Score
0.0%
EPSS Percentile
0th
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.
| CWE | CWE-78 |
| Vendor | dokku |
| Product | dokku |
| Published | Jun 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for dokku dokku
Be the first to know when new critical vulnerabilities affecting dokku dokku are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
dokku / dokku
< 0.38.2