CVE-2026-23520

HIGH EPSS 73.5%
Published Jan 15, 20265mo ago · Modified Jun 17, 20262w ago
8.0 CVSS 3.1
High
Find Similar
Published Jan 15, 2026 5mo ago
Last Modified Jun 17, 2026 2w ago

Description

Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.

CVSS Details

Base Score
8.0
Exploitability
2.1
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
73.5% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-78 OS Command Injection Injection

Affected Products 1

VendorProductVersionRange
arcanearcane* <1.13.0

References 4

  • github.com https://github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4
    Exploit
  • github.com https://github.com/getarcaneapp/arcane/pull/1468
    Issue Tracking
  • github.com https://github.com/getarcaneapp/arcane/releases/tag/v1.13.0
    Release Notes
  • github.com https://github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.