Cyber Resilience

CVE-2026-45405

Critical

Published: 26 June 2026

Published
26 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0029 20.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45405 is a critical-severity Link Following (CWE-59) vulnerability in Dokku Dokku. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries,…

more

allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Archive extraction symlink traversal enables remote code execution via public PaaS interface (T1190) and direct privilege escalation to shell via authorized_keys overwrite (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-45408Same product: Dokku Dokku
CVE-2026-54636Same product: Dokku Dokku
CVE-2026-45406Same product: Dokku Dokku
CVE-2026-45586Shared CWE-59
CVE-2026-20610Shared CWE-59
CVE-2026-2627Shared CWE-59
CVE-2026-26225Shared CWE-59
CVE-2025-63946Shared CWE-59
CVE-2025-63945Shared CWE-59
CVE-2026-11837Shared CWE-59

Affected Assets

dokku
dokku
≤ 0.38.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References