CVE-2026-25116
Path Traversal in Runtipi UserConfigController Enables Remote Code Execution
Publication date: 2026-01-29
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| runtipi | runtipi | From 4.5.0 (inc) to 4.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unauthenticated Path Traversal issue in Runtipi versions 4.5.0 up to before 4.7.2. It exists in the UserConfigController and allows any remote user to overwrite the system's docker-compose.yml configuration file by exploiting insecure URN parsing. This lets an attacker replace the primary stack configuration with a malicious one, which can lead to full Remote Code Execution (RCE) and compromise of the host filesystem when the instance is restarted.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute arbitrary code remotely on the host system by overwriting critical configuration files. This leads to a full compromise of the host filesystem and potentially the entire system, resulting in loss of integrity, availability, and confidentiality of the affected system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Runtipi to version 4.7.2 or later, as this version fixes the vulnerability. Additionally, avoid restarting the instance until the upgrade is applied to prevent exploitation of the malicious docker-compose.yml file.