PT-2026-44732 · Arcane · Arcane
Offset
·
Published
2026-05-28
·
Updated
2026-05-31
·
CVE-2026-47179
CVSS v3.1
7.7
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Arcane versions prior to 1.19.4
Description
An authenticated user can perform an arbitrary read of any file accessible by the Arcane backend process. This occurs because the
ProjectService.CreateProject function writes attacker-supplied compose content to disk without validating include paths. Subsequently, the ProjectService.GetProjectFileContent function returns the contents of any Docker Compose include directive before path-traversal validation is executed. By creating a project with a compose file containing a malicious include directive, such as include: ['../../../../etc/passwd'], an attacker can read sensitive files via the project file API.Technical details include:
- API Endpoints:
POST /api/environments/{id}/projectsandGET /api/environments/{id}/projects/{projectId}/file. - Vulnerable Functions:
ProjectService.CreateProject(),ProjectService.GetProjectFileContent(), andParseIncludes().
This issue can lead to the disclosure of the
arcane.db SQLite database, which contains password hashes and API keys for all users. This enables privilege escalation to an administrator role and potentially Remote Code Execution (RCE) on the host via the Docker control plane.Recommendations
Update to version 1.19.4.
Fix
RCE
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Arcane