CVE-2026-45407 - Vulnerability Details - OpenCVE

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/dokku/dokku/pull/8589
https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr

History

Fri, 26 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 26 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2.
Title		Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch
Weaknesses		CWE-522
References		https://github.com/dokku/dokku/pull/8589 https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr
Metrics		cvssV3_1 `{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-26T16:21:25.215Z

Updated: 2026-06-26T18:06:03.092Z

Reserved: 2026-05-12T01:48:40.452Z

Link: CVE-2026-45407

Vulnrichment

Updated: 2026-06-26T18:05:59.136Z

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45407", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-12T01:48:40.452Z", "datePublished": "2026-06-26T16:21:25.215Z", "dateUpdated": "2026-06-26T18:06:03.092Z"}, "containers": {"cna": {"title": "Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch", "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr"}, {"name": "https://github.com/dokku/dokku/pull/8589", "tags": ["x_refsource_MISC"], "url": "https://github.com/dokku/dokku/pull/8589"}], "affected": [{"vendor": "dokku", "product": "dokku", "versions": [{"version": "< 0.38.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-26T16:21:25.215Z"}, "descriptions": [{"lang": "en", "value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2."}], "source": {"advisory": "GHSA-xh7p-9crg-pchr", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-26T18:05:54.597071Z", "id": "CVE-2026-45407", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T18:06:03.092Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-45407", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-26T18:05:54.597071Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-26T18:05:59.136Z"}}], "cna": {"title": "Dokku: Git Credentials in .netrc Stored World-Readable Due to Premature touch", "source": {"advisory": "GHSA-xh7p-9crg-pchr", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "dokku", "product": "dokku", "versions": [{"status": "affected", "version": "< 0.38.2"}]}], "references": [{"url": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr", "name": "https://github.com/dokku/dokku/security/advisories/GHSA-xh7p-9crg-pchr", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/dokku/dokku/pull/8589", "name": "https://github.com/dokku/dokku/pull/8589", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch command, which applies the default umask of 0644. This pre-creation defeats the netrc binary's built-in 0600 permission setting, leaving git credentials readable by any local user who can traverse the dokku home directory. This vulnerability is fixed in 0.38.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-26T16:21:25.215Z"}}}, "cveMetadata": {"cveId": "CVE-2026-45407", "state": "PUBLISHED", "dateUpdated": "2026-06-26T18:06:03.092Z", "dateReserved": "2026-05-12T01:48:40.452Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-26T16:21:25.215Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}