CVE-2026-23520
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getarcaneapp | arcane | to 1.13.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23520 is a critical command injection vulnerability in the Arcane updater service prior to version 1.13.0. The vulnerability arises because Arcane supports lifecycle labels (com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update) that allow specifying shell commands to run before or after a container update. These label values are passed directly to /bin/sh -c without any sanitization or validation. Since any authenticated user can create projects via the API, an attacker can craft a project with malicious lifecycle label commands. When an administrator triggers a container update, Arcane executes these commands inside the container, potentially leading to remote code execution, unauthorized host filesystem access, data exfiltration, and even full host compromise if sensitive mounts are present. [1]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution within the container context, unauthorized access to the host filesystem, data theft or exfiltration, and potentially full host compromise. If the container mounts sensitive host volumes such as /var/run/docker.sock, an attacker can leverage this to escalate privileges and control the host system. The attack requires an authenticated user to create a malicious project and an administrator to trigger a container update, but the impact is severe, affecting confidentiality, integrity, and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Arcane installation is running a version prior to 1.13.0 and if any projects have the lifecycle labels `com.getarcaneapp.arcane.lifecycle.pre-update` or `com.getarcaneapp.arcane.lifecycle.post-update` set. Since these labels allow execution of arbitrary shell commands during container updates, inspecting container labels for these keys can help identify vulnerable configurations. For example, you can use Docker commands to inspect container labels: `docker inspect --format='{{json .Config.Labels}}' <container_id>` and look for the presence of these lifecycle labels. Additionally, reviewing your Arcane API projects for these labels can help detect potential exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Arcane to version 1.13.0 or later, where the vulnerable lifecycle hooks and labels have been completely removed, eliminating the attack surface. If upgrading immediately is not possible, you should audit and remove any lifecycle labels (`com.getarcaneapp.arcane.lifecycle.pre-update` and `com.getarcaneapp.arcane.lifecycle.post-update`) from your projects or containers to prevent execution of arbitrary commands during updates. Also, restrict authenticated user permissions to limit project creation if feasible until the upgrade is applied. [1, 2, 3, 4]