Description
Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
Published: 2026-01-15
Score: 9.1 Critical
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Arcane’s updater service contains a command injection flaw that lets an attacker supply a malicious command via lifecycle labels, which are passed directly to /bin/sh -c without validation. When a container update is performed, the injected command executes inside the target container, enabling arbitrary code execution on the host.

Affected Systems

The vulnerability applies to the Arcane Docker management tool from getarcaneapp. Any instance running a version older than 1.13.0 is exposed because lifecycle labels can be set by any authenticated API user. The issue was fixed in Arcane 1.13.0 and later releases.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity, while the EPSS score of 2% reflects a low but non-zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated API user to create a project with a malicious lifecycle label, and the compromise occurs when an administrator triggers a container update, at which point the injected command runs inside the container.

Generated by OpenCVE AI on June 18, 2026 at 13:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Arcane to version 1.13.0 or later
  • Restrict API project creation privileges to administrators or disable the lifecycle label feature
  • Review existing deployments for projects that contain malicious lifecycle labels and remove or neutralize them

Generated by OpenCVE AI on June 18, 2026 at 13:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gjqq-6r35-w3r8 Arcane Has a Command Injection in Arcane Updater Lifecycle Labels That Enables RCE
History

Thu, 05 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Arcane
Arcane arcane
CPEs cpe:2.3:a:arcane:arcane:*:*:*:*:*:*:*:*
Vendors & Products Arcane
Arcane arcane

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Getarcaneapp
Getarcaneapp arcane
Vendors & Products Getarcaneapp
Getarcaneapp arcane

Thu, 15 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description Arcane provides modern docker management. Prior to 1.13.0, Arcane has a command injection in the updater service. Arcane’s updater service supported lifecycle labels com.getarcaneapp.arcane.lifecycle.pre-update and com.getarcaneapp.arcane.lifecycle.post-update that allowed defining a command to run before or after a container update. The label value is passed directly to /bin/sh -c without sanitization or validation. Because any authenticated user (not limited to administrators) can create projects through the API, an attacker can create a project that specifies one of these lifecycle labels with a malicious command. When an administrator later triggers a container update (either manually or via scheduled update checks), Arcane reads the lifecycle label and executes its value as a shell command inside the container. This vulnerability is fixed in 1.13.0.
Title Arcane has a Command Injection in Arcane Updater Lifecycle Labels Enables RCE
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Arcane Arcane
Getarcaneapp Arcane
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-15T19:58:45.182Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23520

cve-icon Vulnrichment

Updated: 2026-01-15T19:58:41.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T20:16:05.467

Modified: 2026-06-17T10:21:43.083

Link: CVE-2026-23520

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')