CVE-2026-45406 in Dokku
Summary
by MITRE • 06/26/2026
Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-includes/ git repository directory to the host and then interpolates their filenames, unescaped, into a single-quoted shell string that is later parsed by eval. A filename containing a single quote breaks the quoting and allows command substitution to execute arbitrary commands on the host as the dokku user during the app's next deploy. This vulnerability is fixed in 0.38.2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability in Dokku's openresty-vhosts plugin represents a critical command injection flaw that stems from improper input validation and unsafe shell string construction. This issue affects versions prior to 0.38.2 where the plugin processes files from an application's git repository directory structure, specifically targeting the openresty/http-includes/ path. The vulnerability manifests when the plugin copies these files to the host system and subsequently interpolates their filenames into a shell command string without proper sanitization or escaping mechanisms.
The technical execution of this vulnerability occurs through a classic shell injection pattern where user-controllable input directly influences shell command construction. When filenames containing single quotes are processed, they break out of the intended single-quoted shell string context, allowing attackers to inject malicious commands that get executed during subsequent deployments. The vulnerable code path involves building shell commands using string concatenation and interpolation without proper shell escaping or parameter validation, creating an environment where arbitrary command substitution can occur.
This vulnerability operates at the intersection of multiple security domains including input validation failures, shell injection attacks, and privilege escalation through application deployment processes. The impact is particularly severe because it allows attackers to execute arbitrary commands as the dokku user account during normal application deployment operations, effectively providing a persistent backdoor mechanism within the platform's operational lifecycle. The attack vector leverages legitimate deployment workflows while exploiting the trust relationship between the plugin and the hosting environment.
The operational implications extend beyond simple command execution to encompass potential system compromise and data exfiltration capabilities. Attackers can leverage this vulnerability to escalate privileges within the dokku containerized environment, access sensitive application configurations, or establish persistent access points for further exploitation. The vulnerability affects the core deployment functionality of Dokku, making it particularly dangerous for production environments where regular deployments occur frequently.
Security mitigations should focus on implementing proper input sanitization and shell escaping mechanisms within the plugin code. The fix in version 0.38.2 addresses this by ensuring that filenames are properly escaped before being inserted into shell command contexts, preventing the breaking of quoting boundaries. Organizations should also implement strict file validation policies for deployment directories, monitor deployment logs for anomalous command executions, and consider implementing additional access controls around git repository modifications. This vulnerability aligns with CWE-78 and CWE-832 categories related to improper neutralization of special elements used in OS commands and weak input validation respectively, while also mapping to ATT&CK techniques involving command injection and privilege escalation through deployment processes.