CVE-2026-47179
Deferred Deferred - Pending Action
Path Traversal in Arcane Docker Management Interface

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.4, ProjectService.GetProjectFileContent returns the contents of any Docker Compose include directive declared in a project's compose file before any path-traversal validation runs. Because ProjectService.CreateProject writes attacker-supplied compose content to disk without validating include paths, an authenticated user can create a project whose compose file declares include: ['../../../../etc/passwd'], then read the include via the project file API. The result is arbitrary read of any file readable by the Arcane backend process, including /app/data/arcane.db (the SQLite database containing every user's password hash and API key), enabling escalation to admin and, via Arcane's Docker control plane, RCE on the host. This vulnerability is fixed in 1.19.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-47179
EUVD
EUVD-2026-33369
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getarcaneapp arcane 1.19.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Arcane, an interface for managing Docker containers and related resources. Before version 1.19.4, the application allowed an authenticated user to exploit a path traversal flaw in Docker Compose include directives. Specifically, the ProjectService.GetProjectFileContent function returned the contents of any included file before validating the file path, and ProjectService.CreateProject wrote attacker-supplied compose content to disk without validating include paths.

An attacker could create a project with a malicious compose file that includes a path like '../../../../etc/passwd', allowing them to read arbitrary files accessible by the Arcane backend process. This includes sensitive files such as the SQLite database containing user password hashes and API keys. This unauthorized file read can lead to privilege escalation to admin and remote code execution on the host via Docker control.

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive information and system compromise. An attacker with low-privilege authentication can read any file accessible by the Arcane backend, including critical files like the user database containing password hashes and API keys.

With access to these credentials, the attacker can escalate privileges to admin level within Arcane. Furthermore, because Arcane controls Docker on the host, the attacker can achieve remote code execution (RCE) on the host system, potentially compromising the entire host environment.

Detection Guidance

This vulnerability involves unsafe file inclusion in Docker Compose files managed by the Arcane application, allowing an authenticated user to read arbitrary files via path traversal in include directives.

To detect exploitation attempts or presence of this vulnerability, you can look for projects created with Docker Compose files containing suspicious include directives that reference paths outside the project directory, such as '../../../../etc/passwd'.

Since the vulnerability is related to the contents of Docker Compose include directives and their handling by Arcane, detection involves inspecting project compose files and API calls to ProjectService.GetProjectFileContent.

  • Check for Docker Compose files or project configurations that include external paths using commands like: grep -r "include:" /path/to/arcane/projects
  • Monitor API requests to the Arcane backend for calls to ProjectService.GetProjectFileContent that request files outside the project directory.
  • Audit Arcane project directories for unexpected or suspicious files or symlinks that could indicate path traversal attempts.
Mitigation Strategies

The vulnerability is fixed in Arcane version 1.19.4 by introducing strict validation of include paths in Docker Compose files to prevent directory traversal and unauthorized file access.

Immediate mitigation steps include:

  • Upgrade Arcane to version 1.19.4 or later, which contains the fix that validates and restricts include paths to within the project directory.
  • Restrict access to the Arcane application to trusted authenticated users only, as the attack requires authentication.
  • Audit existing projects for malicious Docker Compose include directives that reference files outside the project directory and remove or correct them.
  • Monitor and restrict API usage related to project file content retrieval to detect and prevent unauthorized file reads.
Compliance Impact

This vulnerability allows an authenticated user to read arbitrary files on the host, including sensitive files such as the SQLite database containing every user's password hash and API key. This unauthorized access to sensitive user credentials and API keys can lead to privilege escalation and remote code execution.

Such exposure of sensitive personal and authentication data can result in violations of common data protection standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information to prevent unauthorized disclosure.

Therefore, exploitation of this vulnerability could lead to non-compliance with these regulations due to the risk of credential disclosure, unauthorized access, and potential compromise of user data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47179. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart