CVE-2026-45626
Deferred Deferred - Pending Action
Command Injection in Arcane Docker Management Interface

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/{id}/volumes/{volumeName}/browse accepts a path query parameter that is passed to a shell command (sh -c "find … | while …") inside an Arcane helper container. The path sanitiser blocks ../ traversal but does not strip Bourne-shell metacharacters such as $() or backticks, and strconv.Quote only escapes Go string metacharacters, not shell substitution sequences. Any authenticated user with access to a browseable volume can execute arbitrary commands inside the helper container; command output is reflected back in the 500 error body.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45626
EUVD
EUVD-2026-33372
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getarcaneapp arcane to 1.18.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45626 is an OS Command Injection vulnerability in the Arcane application's Volume Browser ListDirectory functionality. It occurs because the 'path' query parameter in the GET /environments/{id}/volumes/{volumeName}/browse endpoint is passed directly to a shell command inside an Arcane helper container without proper sanitization.

Although the path sanitizer blocks directory traversal sequences like "../", it does not remove Bourne-shell metacharacters such as $(), backticks, ;, &, |, or >. Additionally, the strconv.Quote function only escapes Go string metacharacters and does not prevent shell substitution sequences, allowing an attacker to inject arbitrary shell commands.

Any authenticated user with access to a browseable volume can exploit this to execute arbitrary commands inside the helper container. The output of these commands is reflected back in HTTP 500 error responses.

Impact Analysis

This vulnerability allows an authenticated user to execute arbitrary commands inside the Arcane helper container, potentially leading to unauthorized actions within that container.

Although the helper container is isolated with network disabled, no privileged mode, and read-only volume mounts, limiting the impact, attackers can bypass API restrictions such as symlink censorship and file size limits.

Attackers can also exfiltrate data via error messages returned by the server. Additionally, a secondary issue allows a destructive command (rm -rf /volume) to be triggered via the DELETE endpoint with a specific path parameter.

Overall, the vulnerability has moderate severity (CVSS 6.3) and can impact confidentiality, integrity, and availability within the scope of the helper container.

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection via the GET /environments/{id}/volumes/{volumeName}/browse endpoint with crafted path query parameters containing Bourne-shell metacharacters such as $() or backticks.

If the system is vulnerable, executing such requests as an authenticated user may cause the helper container to execute arbitrary commands, with the command output reflected in HTTP 500 error responses.

A detection approach could involve sending a request with a path parameter designed to execute a harmless command, for example:

  • curl -i -H "Authorization: Bearer <token>" "https://<arcane-host>/environments/<id>/volumes/<volumeName>/browse?path=$(id)"

If the response contains output from the 'id' command inside the error body, it indicates the vulnerability is present.

Mitigation Strategies

Immediate mitigation steps include upgrading Arcane to a version later than 1.18.1 where this vulnerability is fixed.

If upgrading is not immediately possible, restrict access to the Arcane API to trusted users only, as the vulnerability requires authenticated access.

Additionally, monitor and audit API usage for suspicious requests containing shell metacharacters in the path parameter.

Consider disabling or limiting the use of the Volume Browser functionality until a patch is applied.

Compliance Impact

The vulnerability allows authenticated users to execute arbitrary commands inside an isolated helper container, potentially leading to limited confidentiality, integrity, and availability impacts within that container. However, due to the container's isolation and limited blast radius, the overall impact on sensitive data or systems is constrained.

There is no explicit information provided about direct effects on compliance with common standards and regulations such as GDPR or HIPAA. The limited scope and containment of the vulnerability suggest that while there is a risk of data exfiltration via error messages, the impact on regulated data environments is not detailed.

Therefore, without further details on the nature of data handled or additional context on regulatory environments, the compliance impact cannot be definitively assessed from the provided information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45626. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart