HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45405Published Modified CNA GitHub_M

CVE-2026-45405: Dokku: Arbitrary File Write via Tar Symlink Traversal in git:from-archive and certs:add

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequent entries, allowing an attacker to write arbitrary files anywhere writable by the dokku user — including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. This vulnerability is fixed in 0.38.2.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an arbitrary file write vulnerability in Dokku, a Docker-powered platform-as-a-service. An authenticated attacker with low-privilege access can exploit a tar symlink traversal flaw in the git:from-archive or certs:add commands by supplying a crafted archive; when Dokku extracts the archive without sanitizing member paths, GNU tar follows attacker-controlled symlinks to write files anywhere the dokku user can reach, including overwriting ~/.ssh/authorized_keys to gain unrestricted shell access. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Dokku or its dependencies. Any image carrying an affected Dokku version is flagged in registry scans and CI pipeline checks automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.0 (Critical) and weights it against each environment's configured compliance policy to determine priority and routing. Findings are surfaced to the appropriate team inbox within the customer org based on image ownership and policy rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Dokku 0.38.2 or a later fix is released. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Dokku service over the network to invoke the vulnerable git:from-archive or certs:add commands.

  • AuthenticationRequired

    Any low-privilege Dokku account is sufficient; no administrative credentials are needed.

  • Victim interactionRequired

    A user or automated process with sufficient privileges must invoke the archive extraction command using the attacker-supplied archive.

  • Attack complexityDetail

    The exploit is reliable and condition-free once the attacker can supply a crafted archive; no race conditions or special environmental factors are required.

Blast Radius

  • Attacker writes arbitrary files anywhere writable by the dokku user on the host, including overwriting ~/.ssh/authorized_keys to inject their own public key and gain an unrestricted interactive shell.
  • Attacker overwrites application configuration or deployment scripts, enabling persistent code execution across future deployments on the same host.
  • Attacker reads sensitive files accessible to the dokku user, including private keys, environment variable files, and application secrets stored on the host filesystem.
  • Full host compromise means any co-hosted applications and their data stores are exposed to the attacker.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for this CVE at the time of publication, HarborGuard continuously re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Dokku 0.38.2 or a subsequent fix is published. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a PR against affected workloads with no manual steps required. In the interim, recommended compensating controls include restricting network access to Dokku's API surface via network policy or firewall rules, disabling or gating the git:from-archive and certs:add commands through Dokku's plugin or ACL configuration if the feature is not in active use, and auditing the dokku user's home directory and authorized_keys file for unexpected modifications. HarborGuard will surface any policy violations or newly published fixes to the relevant team inbox as soon as they are available.

See how HarborGuard automates this
Affected packages
  • dokku / dokku
    < 0.38.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
References