CVE-2026-45405

Name: CVE-2026-45405 — Vulnerability Record
Brand: Quanteta Data Lab
SKU: CVE-2026-45405

CRITICAL

CVSS v3.1: 9.0

NetworkVendor advisory ref

Source data as of: 2026-06-27 05:07:21 UTC

At a glance

Severity: CRITICAL
CVSS: 9.0 v3.1 · NVD
EPSS: EPSS not provided by FIRST.org for this CVE
CISA KEV: No
Attack conditions (CVSS vector): Network · Source: NVD Vector
Affected vendors: dokku
Published: 2026-06-26 · Modified: 2026-06-26
References: Jump to references (2)

CVSS / EPSS / KEV

CVSS v3.1 9.0 / 10 CRITICAL Source: NVD

EPSS — EPSS not provided by FIRST.org for this CVE Source: FIRST.org

CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.

Record details

CVE ID: CVE-2026-45405
CVSS (v3.1): 9.0 (CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Exploitability subscore: 2.3
Impact subscore: 6.0
CISA KEV: No
Weakness (CWE): CWE-59
Affected vendors: dokku
Affected configurations (CPE): 1
Published: 2026-06-26
Modified: 2026-06-26
Status: Analyzed

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

Reference https://github.com/dokku/dokku/pull/8591
Vendor advisory https://github.com/dokku/dokku/security/advisories/GHSA-j6qq-xg73-ghqg

← Back to all records

CVE-2026-45405

At a glance

CVSS / EPSS / KEV

Description

Record details

References

Related records

Same affected vendor

Same weakness type (CWE)

Published the same year