EXECUTIVE SUMMARY:
CVE-2026-47179 with a CVSS score of 7.7 is a path‑traversal flaw in the Arcane backend (go/github.com/getarcaneapp/arcane/backend) affecting all releases up to and including 1.19.3. The vulnerability stems from the CreateProject API accepting arbitrary Docker Compose content without validating include directives, and the GetProjectFileContent endpoint returning the raw content of those include files before any safety checks. An authenticated user can craft a project whose compose file contains an include such as '../etc/passwd', causing the backend to write the malicious compose to disk and later read the referenced file when queried, effectively allowing arbitrary read of any file the service process can access, including the embedded SQLite database (arcane.db) that stores password hashes and API keys. Exploitation requires only a valid user credential (no admin role) and network access to the API endpoints; no additional privileges are needed. Successful exploitation can lead to credential theft, privilege escalation to admin, and, through Arcane’s Docker control plane, remote code execution on the host, jeopardizing data confidentiality, integrity, and overall service availability.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-47179 with a CVSS score of 7.7 is a path‑traversal flaw in the Arcane backend (go/github.com/getarcaneapp/arcane/backend) affecting all releases up to and including 1.19.3. The vulnerability stems from the CreateProject API accepting arbitrary Docker Compose content without validating include directives, and the GetProjectFileContent endpoint returning the raw content of those include files before any safety checks. An authenticated user can craft a project whose compose file contains an include such as '../etc/passwd', causing the backend to write the malicious compose to disk and later read the referenced file when queried, effectively allowing arbitrary read of any file the service process can access, including the embedded SQLite database (arcane.db) that stores password hashes and API keys. Exploitation requires only a valid user credential (no admin role) and network access to the API endpoints; no additional privileges are needed. Successful exploitation can lead to credential theft, privilege escalation to admin, and, through Arcane’s Docker control plane, remote code execution on the host, jeopardizing data confidentiality, integrity, and overall service availability.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c3px-h233-h6fq