Arbitrary File Write Vulnerability in Dokku by Dokku Team
CVE-2026-45405

9CRITICAL

Key Information:

Vendor: Dokku
Status: Dokku
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-45405?

Dokku, a platform-as-a-service (PaaS) solution powered by Docker, contains a vulnerability in its git:from-archive and certs:add commands. This issue arises from the extraction of user-supplied tar/zip archives into temporary directories without adequate path sanitization or protection against symlink traversal. When activated, GNU tar creates symlinks during this extraction and follows them for additional entries, which can be exploited by an attacker to write arbitrary files to locations writable by the Dokku user. This includes the potential to overwrite critical files such as ~/.ssh/authorized_keys, thereby granting the attacker unrestricted shell access. Users are advised to upgrade to version 0.38.2 or later, where this vulnerability has been addressed.

Affected Version(s)

dokku < 0.38.2

References

https://github.com/dokku/dokku/security/advisories/GHSA-j...

x_refsource_CONFIRM

https://github.com/dokku/dokku/pull/8591

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45405 Data

JSON