CVE-2026-24129
Unknown Unknown - Not Provided
Command Injection in Runtipi BackupManager via Unsanitized Filenames

Publication date: 2026-01-22

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-22
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24129
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
runtipi runtipi From 3.7.0 (inc) to 4.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Runtipi versions 3.7.0 and above, where an authenticated user can execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager does not sanitize the filenames of uploaded backups, allowing an attacker to upload a file with shell metacharacters (e.g., $(id).tar.gz) that is stored directly on the host filesystem. During the restore process, this file is referenced and executed, enabling command execution on the host. This issue was fixed in version 4.7.0.

Impact Analysis

This vulnerability can allow an authenticated attacker to execute arbitrary system commands on the host server, potentially leading to full compromise of the server. This can result in unauthorized access, data theft, data corruption, or disruption of services running on the server.

Mitigation Strategies

Upgrade Runtipi to version 4.7.0 or later, as this version contains the fix for the vulnerability. Additionally, restrict authenticated user permissions to prevent arbitrary command execution and avoid uploading backup files with shell metacharacters in their filenames until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart