External risk intelligence

Dokku Archive Extraction Vulnerability Allows Arbitrary File Write

CVE advisorySeverity: HIGH (CVSS 8.8)

CVE-2026-45405

Dokku is a platform-as-a-service (PaaS) tool typically managed by developers or administrators. While it can be internet-facing, these specific commands (git:from-archive and certs:add) are generally executed by authorized users or as part of internal CI/CD processes rather than being exposed as public, unauthenticated web endpoints.

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in the Dokku platform-as-a-service tool that could allow an attacker with limited access to gain unrestricted shell access by overwriting critical user files. The issue stems from how certain archive commands handle user-supplied files, enabling the attacker to write arbitrary files to the system.

  • Archive commands permit arbitrary file writes.
  • Allows unauthorized shell access to the system.
  • Confirm if this platform is in use.

Attack Path

How an attacker could exploit the issue

An attacker with limited privileges could exploit this vulnerability by tricking an administrator into running specific commands. These commands allow the extraction of archive files. If these archives contain malicious entries, like symbolic links, an attacker could manipulate the extraction process to write files to arbitrary locations on the server. This could lead to gaining unrestricted shell access to the server.

  • Requires authenticated user access.
  • Triggered by archive extraction commands.
  • Risk of arbitrary file write, leading to RCE.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, the `git:from-archive` and `certs:add` commands could allow an attacker to write arbitrary files to locations writable by the `dokku` user by exploiting archive extraction vulnerabilities. This could lead to unrestricted shell access on the server.

  • Server files and `dokku` user data.
  • Malicious archives uploaded to commands.
  • Unrestricted server shell access.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Dokku impacts PaaS environments and is likely a shared responsibility between platform or infrastructure teams managing Dokku deployments and potentially application owners who utilize the `git:from-archive` or `certs:add` commands. The initial step involves identifying all Dokku instances, determining their reachability and business criticality, and then locating the accountable owners to plan remediation, prioritizing actions based on observed risk.

  • Platform/application owners should investigate.
  • Verify Dokku instance reachability and criticality.
  • Plan targeted remediation or vendor engagement.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Dokku?

Dokku is a platform-as-a-service (PaaS) tool powered by Docker. It allows developers to deploy and manage applications by automating container builds and hosting. It acts as a lightweight alternative to larger cloud platforms, simplifying the process of getting code from a local environment onto a server.

How does CVE-2026-45405 allow arbitrary file writes?

This vulnerability is classified as Improper Link Resolution Before File Access (CWE-59). When using certain commands, the software extracts archive files without properly sanitizing paths or blocking symbolic links. This allows a malicious archive to trick the system into writing files outside of the intended directory, potentially overwriting sensitive system files.

Do I need to be an administrator to trigger this?

The vulnerability requires access to the specific git:from-archive or certs:add commands. It is not triggered by simply hosting an application or navigating to a webpage. An attacker must have the ability to supply or influence the archive files processed by these commands for the extraction to proceed maliciously.

Is my Dokku instance at risk?

Halo Surface Signal notes that while Dokku instances can be internet-facing, these vulnerable commands are often used by authorized personnel or internal CI/CD pipelines. You should care if your workflow allows these commands to process untrusted or external archives, as this creates a path for an attacker to gain shell access.

What is the first step to address this CVE?

The primary action is to identify all running Dokku instances in your environment. Once mapped, verify the version of your deployment; the issue is resolved in version 0.38.2. If you are on an earlier version, coordinate with your infrastructure team to plan an update to the secure release.

References