External risk intelligence

Dokku Cron Plugin Host Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-54636

The vulnerability exists in the cron plugin of a PaaS platform. Exploitation requires an attacker to define or modify app.json configuration files for deployed applications. Since this involves a configuration-level action rather than a direct public-facing service exploit, public internet reachability is possible but not inherent to the vulnerability itself.

OS Command Injection

Dokku

before 0.38.7

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in the Dokku PaaS platform's cron plugin that could allow an authenticated user to execute commands on the host system. The issue arises when specific shell characters are used within app.json configuration files, enabling a breakout from the container environment.

  • Code could escape its container.
  • Affected configuration could allow host access.
  • Confirm relevance and exposure of configurations.

Attack Path

How an attacker could exploit the issue

An attacker could compromise a Dokku server by exploiting a flaw in the cron plugin. This plugin processes commands from an app.json file, and if an attacker can inject special shell characters into these commands, they can break out of the application's container and run arbitrary commands on the underlying host system as the Dokku user.

  • An attacker must have the ability to modify application configurations.
  • The vulnerability is triggered by special characters in app.json cron commands.
  • Risk includes unauthorized host command execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, specially crafted commands within an app.json file could allow an attacker to escape a Docker container and execute commands on the host system as the Dokku user. This could affect the integrity and confidentiality of the host system.

  • System commands on the host.
  • Malicious commands in app.json.
  • Host system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Dokku's cron plugin requires an application owner to maliciously craft `app.json` files with special shell characters. The first practical step is for platform or infrastructure teams to identify all Dokku instances, locate the `app.json` files for deployed applications, and confirm which instances are business-critical or exposed externally. Subsequent actions will depend on this exposure assessment and the identification of accountable application owners.

  • Platform/app teams own the issue.
  • Verify Dokku instance exposure and `app.json` control.
  • Plan remediation with accountable owners.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Dokku?

Dokku is a platform-as-a-service (PaaS) that uses Docker to help developers deploy and manage web applications. It simplifies the hosting process by automating the containerization of code, allowing users to run multiple applications on a single server, which it manages like a small-scale, private version of larger cloud hosting environments.

What does CVE-2026-54636 mean in plain English?

This vulnerability is classified as CWE-78, or OS Command Injection. It means the software does not properly filter user-supplied input before executing it. In this specific case, the Dokku cron plugin fails to sanitize commands defined in an application's configuration file, allowing an attacker to inject characters that force the system to run unintended commands outside of the application's isolated container.

How is this container breakout triggered?

An attacker must have permission to modify the 'app.json' configuration file for a deployed application. By inserting shell control characters, such as semicolons or redirection symbols, into a cron task definition, they can trick the plugin into running malicious code on the host server. Standard application functions that do not involve configuring custom cron tasks through these specific files are not affected.

Is my Dokku instance at risk?

According to Halo Surface Signal, this vulnerability is not inherently public-facing, but it is classified as external. Risk depends on whether an untrusted user has the ability to influence or update the configuration of applications hosted on your Dokku server. If your platform allows users you do not fully trust to commit or change 'app.json' files, you should prioritize investigating those specific environments.

How do I address this Dokku vulnerability?

The primary step is to update your Dokku installation to version 0.38.7 or newer, which contains the fix for the cron plugin. While planning your update, audit your deployed applications to identify which ones utilize 'app.json' cron configurations. Coordinate with the teams or individuals responsible for those specific applications to ensure their configurations are legitimate and verified during the transition.

References