CVE-2026-23520
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23520
EUVD
EUVD-2026-2738
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getarcaneapp arcane to 1.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23520 is a critical command injection vulnerability in the Arcane updater service prior to version 1.13.0. The vulnerability arises because Arcane supports lifecycle labels (com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update) that allow specifying shell commands to run before or after a container update. These label values are passed directly to /bin/sh -c without any sanitization or validation. Since any authenticated user can create projects via the API, an attacker can craft a project with malicious lifecycle label commands. When an administrator triggers a container update, Arcane executes these commands inside the container, potentially leading to remote code execution, unauthorized host filesystem access, data exfiltration, and even full host compromise if sensitive mounts are present. [1]

Impact Analysis

This vulnerability can lead to remote code execution within the container context, unauthorized access to the host filesystem, data theft or exfiltration, and potentially full host compromise. If the container mounts sensitive host volumes such as /var/run/docker.sock, an attacker can leverage this to escalate privileges and control the host system. The attack requires an authenticated user to create a malicious project and an administrator to trigger a container update, but the impact is severe, affecting confidentiality, integrity, and availability. [1]

Detection Guidance

You can detect this vulnerability by checking if your Arcane installation is running a version prior to 1.13.0 and if any projects have the lifecycle labels `com.getarcaneapp.arcane.lifecycle.pre-update` or `com.getarcaneapp.arcane.lifecycle.post-update` set. Since these labels allow execution of arbitrary shell commands during container updates, inspecting container labels for these keys can help identify vulnerable configurations. For example, you can use Docker commands to inspect container labels: `docker inspect --format='{{json .Config.Labels}}' <container_id>` and look for the presence of these lifecycle labels. Additionally, reviewing your Arcane API projects for these labels can help detect potential exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Arcane to version 1.13.0 or later, where the vulnerable lifecycle hooks and labels have been completely removed, eliminating the attack surface. If upgrading immediately is not possible, you should audit and remove any lifecycle labels (`com.getarcaneapp.arcane.lifecycle.pre-update` and `com.getarcaneapp.arcane.lifecycle.post-update`) from your projects or containers to prevent execution of arbitrary commands during updates. Also, restrict authenticated user permissions to limit project creation if feasible until the upgrade is applied. [1, 2, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23520. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart