CVE-2026-54636

⛔ critical

Summary

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7.

CVSS Score

9.0

Critical

EPSS Score

Published Date

2026-06-26

First Seen: 2026-06-27

📊 Relative Risk Intelligence

This CVE is High Risk - more severe than 87.7% of all 330,193 vulnerabilities in our database.

#40,600

Top 25% most severe

Severity Percentile

Last Modified 2026-06-26

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-78

📦 Affected Products 1

Vendor	Product	Status	Affected Versions
dokku	dokku	Affected	< 0.38.7

🔗 References 2

https://github.com/dokku/dokku/pull/8672

Issue Tracking Patch

https://github.com/dokku/dokku/security/advisories/G...

Vendor Advisory

🔗 Related CVEs 4

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-45405	⛔ critical	9.0	-	Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/z...	2026-06-26
CVE-2026-45406	⛔ critical	9.0	-	Dokku is a docker-powered PaaS. Prior to 0.38.2, the openresty-vhosts plugin copies files from an app's openresty/http-i...	2026-06-26
CVE-2026-45407	🔶 medium	5.0	-	Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:auth command creates $DOKKU_ROOT/.netrc using bash's touch comm...	2026-06-26
CVE-2026-45408	⛔ critical	9.0	-	Dokku is a docker-powered PaaS. Prior to 0.38.2, the app name validation regex (^[a-z0-9][^/:_A-Z]*$) permits shell meta...	2026-06-26

These CVEs affect the same products