CVE-2026-45407
MediumCVSS 5.0Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In Dokku prior to version 0.38.2, the git:auth command creates the $DOKKU_ROOT/.netrc file using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory.
Risk Assessment
The risk is that unauthorized local users can read git credentials, potentially leading to unauthorized access to repositories and leakage of sensitive source code.
Recommendation
Immediately update Dokku to version 0.38.2 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.

