CVE-2026-45408
CriticalCVSS 9.0Exploitation Probability (EPSS)
Low risk14th percentile — higher than 14% of all known CVEs
Summary
A vulnerability in Dokku before version 0.38.2 allows remote code execution by an authenticated user. The app name validation permits shell metacharacters, which are then embedded unquoted into a git hook script, enabling arbitrary command execution as the dokku user.
Risk Assessment
An attacker can take over the Dokku server by executing arbitrary commands as the dokku user, leading to full compromise of the platform and hosted applications.
Recommendation
Immediately update Dokku to version 0.38.2 or later, which includes a fix for app name validation and safe heredoc usage.
Original NVD description (English source)
Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell metacharacters. When an authenticated user pushes to a git remote with a crafted app name, the name is embedded unquoted into a bash pre-receive hook script via an unquoted heredoc (<<EOF instead of <<'EOF') in fn-git-create-hook() at plugins/git/internal-functions:378. On git push, bash interprets the semicolon as a command separator, executing arbitrary commands as the dokku user. This vulnerability is fixed in 0.38.2.

