CVE-2026-54636

Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7.

CVSS v3 9.0 CRITICAL

9.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/dokku/dokku/pull/8672	Issue Tracking Patch
https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dokku:dokku:*:*:*:*:-:*:*:*

History

26 Jun 2026, 19:01

Type	Values Removed	Values Added
CPE		cpe:2.3:a:dokku:dokku:::::-:::*
First Time		Dokku dokku Dokku
References	~~() https://github.com/dokku/dokku/pull/8672 -~~	() https://github.com/dokku/dokku/pull/8672 - Issue Tracking, Patch
References	~~() https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w -~~	() https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w - Vendor Advisory

26 Jun 2026, 17:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-26 17:16

Updated : 2026-06-29 14:16

NVD link : CVE-2026-54636

Mitre link : CVE-2026-54636

CVE.ORG link : CVE-2026-54636

JSON object : View

Products Affected

dokku

dokku

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2026-54636", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-54636", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "total"}], "version": "2.0.3", "timestamp": "2026-06-29T13:28:46.363010Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "dokku", "product": "dokku", "versions": [{"status": "affected", "version": "< 0.38.7"}]}]}], "published": "2026-06-26T17:16:34.083", "references": [{"url": "https://github.com/dokku/dokku/pull/8672", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dokku/dokku/security/advisories/GHSA-72vm-7pc2-x95w", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Dokku is a docker-powered PaaS. Prior to 0.38.7, the cron plugin utilizes commands in the app.json file to manage system cron running as the Dokku user. An app.json cron command utilizing special shell characters - including, but not limited to, > or ; - can break out of the Docker container and execute commands on the host as the Dokku user. This vulnerability is fixed in 0.38.7."}], "lastModified": "2026-06-29T14:16:57.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dokku:dokku:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "AA4918A7-B341-4B50-865E-F5020BB707D5", "versionEndExcluding": "0.38.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}