Cyber Resilience

CVE-2026-45406

CriticalRCE

Published: 26 June 2026

Published
26 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0027 19.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-45406 is a critical-severity Eval Injection (CWE-95) vulnerability in Dokku Dokku. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval.…

more

A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Eval injection in shell string enables arbitrary Unix command execution (T1059.004) via exploitation of the PaaS (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-54636Same product: Dokku Dokku
CVE-2026-45408Same product: Dokku Dokku
CVE-2026-45405Same product: Dokku Dokku
CVE-2025-68271Shared CWE-95
CVE-2025-55585Shared CWE-95
CVE-2013-10051Shared CWE-95
CVE-2026-23885Shared CWE-95
CVE-2026-8914Shared CWE-95
CVE-2026-33618Shared CWE-95
CVE-2025-50187Shared CWE-95

Affected Assets

dokku
dokku
≤ 0.38.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References