CVE-2026-45405 in Dokku
Summary
by MITRE • 06/26/2026
Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
This vulnerability affects dokku version 0.38.1 and earlier, where the git:from-archive and certs:add commands fail to properly sanitize archive member paths during extraction operations. The flaw stems from insufficient input validation and path sanitization mechanisms that allow attackers to manipulate archive contents to create malicious file paths. When these commands process user-supplied tar or zip archives, they extract files into temporary directories without proper path validation, creating a critical security weakness that can be exploited through carefully crafted archive contents.
The technical implementation of this vulnerability relies on GNU tar's behavior of creating symbolic links during extraction and then following those symlinks for subsequent file operations. This creates a symlink traversal attack vector where an attacker can construct an archive containing entries that create symlinks pointing to sensitive system locations such as ~/.ssh/authorized_keys. When the extraction process follows these symlinks, it writes malicious content directly to privileged files that control SSH access to the system. The vulnerability specifically targets the dokku user's privileges and leverages the fact that archive extraction operations are performed with elevated permissions to execute arbitrary file modifications.
The operational impact of this vulnerability is severe as it allows remote attackers to gain unrestricted shell access to systems running vulnerable versions of dokku. By overwriting the ~/.ssh/authorized_keys file, attackers can establish persistent access to the system without requiring additional authentication credentials. This represents a complete compromise of the affected system's security posture and enables attackers to perform arbitrary operations including data exfiltration, system modification, and further lateral movement within network environments. The vulnerability affects systems where dokku is used as a platform-as-a-service solution for deploying applications, making it particularly dangerous in multi-tenant environments.
Mitigation strategies should focus on upgrading to dokku version 0.38.2 or later where the vulnerability has been addressed through proper path sanitization and archive extraction validation. Organizations should also implement additional security controls such as restricting access to git:from-archive and certs:add commands to trusted users only, implementing network segmentation to limit exposure, and monitoring for suspicious archive uploads. The fix implemented in version 0.38.2 addresses the core issue by ensuring that all archive member paths are properly validated and sanitized before extraction operations occur, preventing the creation of malicious symbolic links that could lead to arbitrary file writes. This vulnerability aligns with CWE-22 Path Traversal and ATT&CK technique T1566 Credential Access through exploitation of insecure file handling practices in containerized platform environments.
The broader implications of this vulnerability highlight the importance of secure archive handling in containerized and platform-as-a-service environments where user-supplied content processing is common. Organizations should implement comprehensive input validation for all external data processing operations, particularly those involving file system operations and archive extraction. Regular security assessments of platform components and timely patch management are essential to prevent exploitation of similar vulnerabilities in other software components that may be susceptible to path traversal attacks through improper archive handling mechanisms.