External risk intelligence

Dokku App Name Validation Allows Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-45408

Dokku is a PaaS that manages application deployments. While it handles git-based pushes which may be exposed to a development team or the internet depending on infrastructure setup, it is typically accessed by authenticated users rather than being a public-facing service by design, making internet reachability possible but not guaranteed as a default global deployment pattern.

OS Command Injection

Dokku

before 0.38.2

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in Dokku, a platform-as-a-service that uses Docker for application deployments. The issue allows authenticated users to execute arbitrary commands on the server by pushing a specially named application. While the platform typically requires authentication, its exposure can vary depending on how it's implemented within an organization's infrastructure. The primary concern is to confirm if this technology is in use and assess potential exposure.

  • Allows unauthorized commands via crafted app names.
  • Matters if Dokku is used for application deployment.
  • Confirm relevance and identify any affected systems.

Attack Path

How an attacker could exploit the issue

An attacker with authenticated access can exploit this vulnerability by pushing code to a Dokku application with a specially crafted name. This app name is then embedded into a command script without proper quoting. When Git processes the push, the shell interprets characters within the app name as commands, allowing the attacker to execute arbitrary code on the server as the Dokku user.

  • Authenticated user access required.
  • Malicious app name during git push.
  • Arbitrary command execution as user.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user could execute arbitrary commands on the server by pushing a specially crafted application name to a git remote. This could occur when the server processes the git push and the app name is interpreted as commands within a bash script.

  • Server-side commands could be executed.
  • Authenticated users could push malicious app names.
  • Arbitrary command execution on the server.

Operational Fix

Recommended remediation, mitigation, and detection steps

Technical leaders and system owners should coordinate to identify Dokku instances, assess their reachability and criticality, and pinpoint the accountable application or platform owner. Remediation planning should then be prioritized based on the identified risk.

  • Application or platform teams should own the issue.
  • Verify affected Dokku instance reachability and criticality.
  • Plan risk-based remediation with vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Dokku and why is it used?

Dokku is a platform-as-a-service (PaaS) built on Docker. Developers use it to manage application deployments by pushing code via Git, allowing for an automated and streamlined way to run web applications on their own server infrastructure.

What does CVE-2026-45408 mean in plain English?

This is a command injection vulnerability, classified as CWE-78. It occurs because the system fails to properly filter special characters in application names. When a user provides a malicious name, the underlying system mistakenly treats parts of that name as executable code rather than plain text, allowing unauthorized commands to run on the server.

How is this vulnerability triggered?

An authenticated user triggers the bug by pushing code to a Git remote using a crafted application name containing shell metacharacters like semicolons. This issue does not occur when using valid, standard application names that strictly follow expected character patterns, as the flawed processing script is only activated by the malformed input.

Do I need to worry if my Dokku instance is internal?

According to Halo Surface Signal, Dokku's risk depends on its infrastructure setup. While internet-facing instances have a broader attack surface, any instance that allows push access—even if limited to internal teams—could be vulnerable if an attacker gains authenticated access.

What are the first steps to address this issue?

Your priority is to identify all running Dokku instances within your environment. Once identified, work with the platform owners to update to version 0.38.2 or higher, where the application name validation is corrected to prevent command injection.

References