CVE-2026-23520

Name of the Vulnerable Software and Affected Versions Arcane versions prior to 1.13.0

Description Arcane’s updater service allows defining commands to run before or after container updates using lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update. The value of these labels is passed directly to /bin/sh -c without proper validation, creating a command injection issue. Any authenticated user can create projects via the API and specify malicious commands within these lifecycle labels. When an administrator triggers a container update, Arcane executes the command within the container. If the container has host volume mounts, the executed command may access the host filesystem, potentially leading to data theft or full host compromise if sensitive paths like /var/run/docker.sock are mounted. The issue enables remote code execution (RCE) within the container context.

Recommendations Versions prior to 1.13.0 should be updated to version 1.13.0 or later.